Susan M. Pitz
Understandably, when patients hear that confidential information contained in medical records maintained by their physician has been stolen, lost or otherwise compromised, it is extremely upsetting.
Not only is the information sometimes sensitive in nature, but with the prevalence of identity theft, there is a great chance for financial harm. For physicians and other health care practitioners, the situation is not only upsetting on a personal level but also has serious legal implications due to the Breach Notification Rule enacted under the Health Information Technology for Economic and Clinical Health Act (commonly referred to as HITECH), which has now been further addressed in this year’s amendments to the Health Insurance Portability and Accountability Act. That is formally referred to as the HIPAA Final Omnibus Rule.
Examples of common breaches include:
• a theft or break in at a medical practice
• a laptop containing confidential patient information being lost or stolen
• the security of an online system containing patient health information being compromised
• an unauthorized employee accessing information for personal gain
When events such as these happen, time is of the essence, and practitioners are wise to acknowledge the issue right away and take the necessary measures to address the problem. When a breach is discovered, the next steps for a practitioner are to begin an investigation to verify who has been affected, to identify the parties to be notified, to determine ways to help mitigate the reputational and/or financial harm to patients and to examine how best to ensure a similar breach does not occur again. The various actions that need to be taken include:
• Investigation: After a breach has been identified, an investigation must begin immediately to determine who has been affected and whether notification is required. Under the HIPAA Final Omnibus Rule, an impermissible disclosure of PHI is presumed to be a breach unless there is a low probability that the protected health information (or PHI, as defined under HIPAA) has been compromised. The government has identified a four-part test which requires the analysis of: the nature and extent of the PHI involved; the unauthorized person who used the PHI or to whom disclosure was made; whether the PHI was actually acquired or viewed; and the extent to which the risk to PHI has been mitigated.
• Notification: If the investigation and risk analysis above indicates that PHI has been compromised, practitioners must provide notice of such breach to each individual affected without unreasonable delay, but in no event later than 60 days from discovery of the breach. The notification must include, to the extent possible: a description of the breach; a description of the types of information that were involved in the breach; the steps affected individuals should take to protect themselves from potential harm; a brief description of what the covered entity is doing to investigate the breach, mitigate the harm and prevent further breaches; and contact information for the covered entity. In addition to individual notices, practitioners must submit information regarding each breach to the Department of Health and Human Services. For breaches that involve more than 500 people, notification through the media is also required.
• Mitigation: When a practitioner must notify his or her patient about a breach, it is imperative that the patient be informed about what actions have been taken to help mitigate the potential harm caused by the breach (e.g., the termination of an employee caught snooping in patient medical records and the steps taken to ensure the information was not shared with third parties). Furthermore, many times it is wise to offer the patient information on credit monitoring if there is a chance that sensitive financial information has been compromised, which could lead to identity theft. If the need for credit monitoring and other avenues to protect against identity theft are warranted, the cost of the same can be covered by the practitioner. This action can help to rebuild the trust and goodwill of his or her patients in the difficult time after a breach has occurred.
• Corrective action: Finally, after all the above steps have been taken, it is important for the practitioner to take the time to assess what went wrong in the first place. Question what led to the breach of patients’ confidential information and what can be done to ensure that the same thing never happens again. This is a good time to review the policies and procedures in place to address HIPAA requirements and to see how these policies and procedures should be strengthened going forward. An attorney who practices in this area can provide you with the help and guidance you may need.
Again, when confidential medical records are compromised, there is no time to wait; actions must be taken immediately. It may be difficult to determine how to begin to address the problem with the affected individuals. However, now not only is it the right thing to do, it’s legally required unless you can ensure that there is a low probability that PHI has in fact been compromised. If the above steps are followed, all parties should be better equipped to deal with the situation.
Susan M. Pitz, Esq., is a shareholder with the law firm Nutile Pitz & Associates in Henderson. The firm practices primarily in health care law and other general business matters.