The compliance officer of Sunshine Health, LLC (the name has been changed) learns one day that a patient is furious with his organization for a privacy breach about prescription medicine. That’s not unusual! But the story behind this one is.
This is a true story recently told to us by a client, and we want to share it to emphasize the importance of workforce training, and what to do in the event of a breach.
Disclosure of PHI Without Authorization is a Breach
A patient emailed Sunshine Health compliance department to complain that a Sunshine Health employee had disclosed protected health information to a lawyer she didn’t know. It turns out that a Sunshine Health employee was suing the Sunshine Health patient for a dog bite, but the compliance officer did NOT know his employee has sued their patient. The Sunshine Health employee is a home health caregiver who visits patients at home. One of those patients has a dog who allegedly bit the Sunshine Health caregiver during a visit.
The patient found out about the HIPAA breach in the lawsuit because the employee’s lawyer sent the patient interrogatories as part of the lawsuit (interrogatories are questions asked of both sides in a lawsuit to help discover the facts before going to court). Contained among the questions the patient received was detailed private health information, including a prescription she was taking. The employee suing for the dog bite was trying to make the case that the patient could not control her dog, because she was taking strong painkiller medication.
What is Protected Health Information?
The lawsuit by the Sunshine Health employee identifies the patient as a person receiving services from Sunshine Health.
Protected Health Information (PHI) is defined as health information including demographic information that identifies an individual and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
The information identifying the patient and relating to the provision of health care by Sunshine Health to the patient disclosed by the Sunshine employee in the lawsuit is health information originally created or received by Sunshine. Therefore, the disclosure of that information (alone, even without the additional details about prescriptions) by a Sunshine employee without a valid HIPAA authorization from the patient constitutes a reportable breach of unsecured PHI under the Breach Notification Rule.
Take These Steps When a HIPAA Breach Happens
Sunshine must notify the patient of the HIPAA breach without unreasonable delay and in no case later than 60 calendar days after Sunshine first discovered the breach. Our client was able to use a form (section BN-1.D) in The HIPAA E-Tool® as a template for the required notification.
Sunshine Health must also notify the U. S. Department of Health and Human Services (HHS) of the breach not later than 60 calendar days after the end of this calendar year through the HHS Breach Portal on its website.
Workforce Training is Essential
The workforce is the backbone of a full HIPAA compliance program. So they need HIPAA training, on a regular basis, to remind them about the importance of patient privacy, and how to maintain it. They need to learn the definition of Protected Health Information, and when an Authorization is required. Basic cybersecurity training is also key, how to recognize and defend against phishing.
Employees of covered entities and business associates who do not comply with HIPAA policies in spite of their training should be sanctioned for violating the policies. When the noncompliance is intentional and patient PHI is jeopardized, the sanctions could include termination.
The HIPAA E-Tool® Answers All the Questions
If you’re caught off guard, you need answers. A potential breach that crosses your desk needs to be analyzed and dealt with, on deadlines set by HHS. The HIPAA E-Tool® has a breach notification assessment with all the rules, and template forms to complete your responsibilities, and help is a phone call away.