Wiki Facesheet attached to another pt's statement

[sky]

a patient's facesheet - the address, ph#, ssn, d.o.b., reason for visit, etc. was accidently stapled to another patient's statement. the patient who received the statement came in with the statement showing the facesheet attached. he stated he could have used all that info to apply for credit cards, loans. & he could've even sold the info. my question is, should there be some kind of letter sent to the patient whose info has been compromised or should this just be let go as a mistake. I think the patient should be informed and maybe the practice pay for life lock or something like that for a year.
can anybody help me with this?

 

[CatchTheWind]

Your practice should get a HIPAA compliance program in place ASAP. It would address this and many other HIPAA-related issues.

This particular incident is somewhat complicated, because your required course of action will depend on whether or not the disclosure qualifies as a "breach" by HHS's definition. HHS says that an impermissible disclosure [including an incident such as this] is defined as a breach unless you can demonstrate that there is a low probability that the disclosed information has been compromised, based on such factors as the nature and extent of the protected health information involved [in this case, lots of potentially very damaging information]; to whom the disclosure was made [in this case, an outsider, rather than just some other medical practice for example], and the extent to which the risk from the disclosure has been mitigated [in this case, it probably has been well mitigated by the fact that the other patient returned it to you before using or sharing it].

In light of the first two items, and in spite of the third, if this were my practice, I would conclude that this is a breach. However, I cannot make the analysis for you.

Here are excerpts from our practice's HIPAA Manual addressing such incidents:

Immediately upon becoming aware of and logging [yes, HIPAA requires you to maintain a log] any impermissible use or disclosure... the PSO [Privacy and Security Officer] will take action to determine whether or not it constitutes a breach.... If it is determined that a breach has occurred, the PSO, after consulting with the Practice Administrator and/or the practice owners, and/or an attorney..., but no more than 60 days (for breaches of paper or verbal PHI) or 45 days (for breaches of electronic PHI) following the first day on which the breach was, or should have been, known, will notify the patient by US mail[and will additionally notify them immediately if there are risk-modification actions the patient needs to take immediately]... [note that the letter should include details about what your practice has done, or what the patient can do, to minimize any further risk].... The PSO also will notify the OCR [HHS's Office for Civil Rights] within the 60-day timeframe if the breach (paper, verbal, or electronic) affected 500 or more patients, or within 60 days following the end of the calendar year if the breach affected fewer than 500 patients.

Be aware that these stringencies were not decided on by our practice, but are required by law. The HIPAA Privacy and Security Regulations have very specific requirements about what you must do when a breach occurs.

As you can see, the HIPAA Privacy and Security regulations are very complex. My recommendation would be either to take the AAPC's CPCO certification course, find another such course (such as AHIMA's Privacy and Security certification course), or hire an outside consultant to prepare a HIPAA Privacy and Security program for you. And in the meantime, I would ask a HIPAA-knowledgeable attorney what to do now.