Health Information Compliance Alert

YOU BE THE SECURITY EXPERT:

SHOULD WE FESS UP TO ALL ERRONEOUS DISCLOSURES?

Read the situation below and decide how you would handle it before you compare it to our expert's advice.

Question: What's the best policy for handling a misdirected PHI incident?

Answer: Nobody likes having to admit mistakes, but when your mistakes involve the accidental disclosure of an individual's protected health information, you need to be forthcoming with your mea culpas.

And when you add the accounting of disclosures provision to the mix, you've got all the more reason to notify and apologize to the affected individual for the error. According to David Ermer, an attorney with Gordon & Barnett in Washington, erroneous disclosures are considered accountable disclosures under HIPAA.

What this means is if that your organization should mistakenly send out a patient's PHI to an unintended recipient, then you must be sure to record the incident in the patient's accounting log--after you've corrected the error, of course.

But your responsibilities to the patient shouldn't just end there, says Donna Padnos, a senior management consultant with The Superior Consultant Company in Holly Springs, NC.

Best strategy: In addition to logging the accidental PHI disclosure, your organization should contact those affected and let them know what happened and what you're doing to correct the mistake, she advises. If you're up front about the error, then your patient won't have to first learn of your mistake from the accounting report.

As an example, Padnos refers to an incident involving HMO-giant Kaiser Permanente. A programming glitch at a Kaiser facility in Maryland caused over 800 e-mails containing sensitive health information to be sent to the wrong recipient. Immediately after the error was spotted and fixed, Kaiser began contacting every single member affected by the accidental disclosure and apologized to them.

Padnos applauds Kaiser's response as a good model for any covered entity dealing with an accidental PHI disclosure: "Rather than sweeping it under the rug, you're actually up front, declaring it, letting them know that you're sensitive to their privacy, albeit you made a mistake."

Other Articles in this issue of

Health Information Compliance Alert

View All