Have you ever wanted to see an example of a HIPAA breach that occurred in real life? Look no further, I have a story to tell.
At The Fox Group, we get hundreds of questions about the business of healthcare every year, and HIPAA is always one of the most frequent subject areas. Mind you, HIPAA laws are complex, but violating them in a significant way can occur via some otherwise rather simple actions. And as you’ll see in the ensuing story, there will often be a domino effect, with plenty of liability to go around.
Was this a HIPAA Breach? It was our medical group’s ePHI, but we didn’t send the email!
The following is a HIPAA Breach question that was forwarded to me recently:
“Is this a HIPAA Breach on his part? We recently had an employed physician leave our practice. He formed another corporation and is opening his own practice. Subsequently he sent out a pan email to some of his patients (1000-1200) and some of our patients (150) unblinded. The email identified them as active patients in the original practice with his notice of new business and a PDF file on how to request records from our practice. We became aware of this through several of our patients’ notification and frustration over his email with their personal information being present and being identified as patients to a large group of other people.”
“Further, it appears he obtained the patient list and emails from a prior vendor we had used to develop a website. The relationship was between us and the Website/marketing company. Is this a HIPAA breach to have obtained the contact information through a vendor who he did not have a relationship?”
My reply to this HIPAA Breach question.
An initial qualifier: While we have ample experience in this realm from an operational perspective, we are not attorneys and cannot give legal advice. My comments below represent our understanding of the HIPAA Breach regulations; you may need to consult an attorney if/when your patients file a complaint with the Office of Civil Rights (OCR) of HHS and their enforcement of HIPAA Breach privacy regulations.
We advise people to approach email conservatively, arguing that even the disclosure of a person being a patient at a certain type of physician specialty practice could be considered PHI. Your account of complaints from some patients validates that concern.
Yes, this is an example of a HIPAA Breach!
From your description, it sounds like both the website/marketing company and your former employed physician may have made unauthorized disclosures of PHI, or at least confidential information like email addresses (which are considered confidential in some states). Hopefully, you have a Business Associate Agreement (BAA) with your website/marketing company that calls upon them to take action (at your direction) to report a HIPAA Breach and/or notify affected patients. Even in the absence of a written BAA, the website/marketing company is your Business Associate, and they are required to comply with the HIPAA Breach notification provisions, at your direction. You may also have a contractual dispute with the website/marketing company if they disclosed information to your previously employed physician without your permission.
The Magnitude of the problem.
The PHI disclosure here is also important since it exceeds the threshold of 500 persons where notification to media is required, as well as individual notification. You should conduct a HIPAA Breach Assessment and consider these factors:
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- Whether the protected health information was actually acquired or viewed;
- The extent to which the risk to the protected health information has been mitigated.
One problem with this situation is that you have no control over the further distribution of the information since it went via email to so many people.
HIPAA Breach: what to do once it occurred.
You cannot enforce HIPAA regulations with respect to an outside party like your former employee; most HIPAA Breach complaints have to be filed with the Office of Civil Rights, which investigates and enforces the regulations. You may consider reporting an unauthorized disclosure to the OCR, but keep in mind if/when they get around to investigating it, they will also look at your organization and your Policies & Procedures on protecting PHI, your HIPAA Breach policies, if you have business associate agreements, and other HIPAA requirements. An investigation would also likely extend to the website/marketing company, assessing how they prevent unauthorized disclosures. You should consult with your cyber insurance carrier to understand your coverage for these types of situations. You may also have damages caused by your former employed physician.
We are sorry you are dealing with such a situation. It is an object lesson on protecting PHI, even when you think everyone you are dealing with is trustworthy.
So what’s the takeaway?
The takeaway in this example of a HIPAA breach should be pretty clear. HIPAA violations do occur, with or without explicit intent. And the financial and reputational consequences can be severe. For these reasons, and in support of the principles of HIPAA law in the first place, compliance needs to be taken seriously. Hence, the otherwise mundane things like HIPAA policies and procedures, periodic staff training, internal assessment practices, business associate agreements being in place, proper insurance coverages, and more all become your best friends when something does go wrong.
Sure, having all these things in place will go a long way toward avoiding a problem in the first place, and that’s the idea! But in the face of a breach that occurred anyway, being able to demonstrate what you’ve been doing to minimize the chance of that happening can make all the difference in the world in the eyes of the law.
So, have you been doing all the right things with regards to your own HIPAA compliance practices? There’s no time like the present to be sure.