Patient A, immediately prior to discharge, receives an oxygen tank from an outside DME company for him to take home. The DME representative comes to Patient A's bedside, educates Patient A on the oxygen tank, and then signs a document from the DME company with spaces for Patient A or the DME company to fill in the patient's name, DOB, address, insurance company, etc. The document is left at Patient A's bedside by DME company.Patient B calls the hospital after discharge and says to the hospital "I was discharged with a copy of Patient A's oxygen tank order form."An investigation is done which shoes the following:(1) Hospital does maintain a copy of the document from the DME company. It is something that gets given to the patient directly from the DME company and is not maintained in the medical record.(2) Because the hospital does not have a copy, and Patient B has not/will not provide the copy he mistakenly received, hospital has no way of knowing which portions of the document were filled out and left blank.(3) The patients were not roommates -- they were in separate rooms but the rooms are next to each other.No one can recall handing Patient B any paperwork, or can understand why Patient B would have left the hospital with Patient A's oxygen tank receipt. There is no logical explanation as to how that paper got to another patient in another room.Is this a HIPAA breach by the hospital?Thank you all for your input!
Here is my thought process. I would presume that the hospital made the contact with the DME company to facilitate setting up home oxygen. As I understand, you would not need a Business Associate Agreement in place based on this guidance from OCR.
Applying the four-factor risk assessment:
A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the factors listed above.
Does it meet an exception to the reporting requirement?
Because it presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment, I think it would be prudent to err on the side of caution by making a breach notification to Patient A and OCR.
There is a possibility that Patient B may have already notified or tried to contact Patient A to inform him/her of receiving the information.I'd be interested to see how others in this group would analyze this incident.Becky