• If this is your first visit, be sure to check out the FAQ & read the forum rules. To view all forums, post or create a new thread, you must be an AAPC Member. If you are a member and have already registered for member area and forum access, you can log in by clicking here. If you've forgotten the password it can be reset on our sign in section by entering your registered Email Address or Username here. To start viewing messages, select the forum that you want to visit from the selection below..

Wiki Odd HIPAA case

Create Wiki
C

colsonccsp@yahoo.com

Contributor
Messages
24
Location
Deer Park, TX
Best answers
0
If a statement for a patient was accidentally sent with a statement for another patient (as if the pages stuck together) is this a breach?

If the other patient who mistakenly received the additional incorrect statement was a hospital employee would this make a difference?

The statement contains the patient name and address as well as date of service and balance due.

I am interested in hearing your opinions on this

-Christina
 
Yes, this would be considered a "breach" because PHI was obtained by an unathorized perseon, even if it is just financial information. It is information the CE (your practice or facility) created in the course of doing business. The issue now is if this information was "compromised." In other words, what is the likelihood that this information that was recieved by an unauthorized recipient was used in an inappropriate manner? The Omnibus rule doesn't give clear cut answers for this. The CE has to determine whether this informaiton is likely to be compromised and then notify the patient that his or her information was breached.

If the recipient is an employee, that doesn't necessarly make it compromised or not - that is to be determined by the CE. If the recipient isn't willing to send it back or destroy it, then that increases the chance of compromise. Ultimately that determination will fall on you, the CE, whether the likelihood of compromise will require that you send the notification letter.
 
The answer to the case was that it is indeed a breech if the other patient was not an employee. It would require notification to the patient who's info was sent in error.

IF the other patient was an employee, in the case the question the incorrect statement was sent to a HIPAA trained ICU nurse, this would not be a breech because the nurse was an employee and destroyed the errant statement.

"This instance is not a privacy breach because the circumstance falls within the exceptions to the statutory definition of breach.

1.Any inadvertent disclosure by a person who is authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the regulations governing protected individually identifiable health information at 45 C.F.R section 164.500-164.534

2.Any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the regulations governing protected individually identifiable health information at 45 C.F.R section 164.500-164.534"


So there you have it. Thank you for responding
 
You must log in or register to reply here.
Top