Email of Unencrypted Patient Information to Home Computer Considered HIPAA Patient Privacy Breach

Written on January 6, 2011 by Morris Stemp in Healthcare

There have been so many new rules and regulations affecting the practice of medicine that it is hard to keep up on how they affect the day to day practice of caring for patients. One of the most important are the new HIPAA privacy and security rules related to protected health information (PHI) and the required public notifications and announcements which must be issues in the event of a breach of this privacy.

Who would think that a doctor who simply emails some patient information from his office computer/email account to his personal email account so that the doctor could do some work from home would be in breach of security and considered in violation of this privacy rule? This is exactly what happened at a Geisinger Health System hospital in Pennsylvania on November 3, 2010, although apparently that email included PHI for 2,928 patients. Due to the size of the “breach”, the hospital found itself in the embarrassing position of being legally required (by HIPAA) to notify by mail, each of the 2,928 patients, as to what transpired.

What actually did happen and what information was “breached? The doctor’s email was not encrypted which means that anyone who could access the email would have been able to read the patient names, procedures, indications and brief notes. There was not even any personal patient financial information in the email. While it was very unlikely that anyone, other than the doctor, ever accessed the email, the mere possibility of this event apparently was sufficient for the hospital legal staff to consider themselves in breach of privacy.

Read the details of the Geisinger press release here: Geisinger informs patients of disclosure of protected health information

So how does this affect Dr Smith, a sole practitioner, or an 8 doctor group practice? According to the new regulations, even a breach of a single patient must be disclosed to the individual whose privacy may have been disclosed. In the event of a breach of 500 or more records during a single event, the medical practice must also notify the Health and Human Services department which is required to post a list of all entities that have had such massive breaches.

See more details about the Breach Notification Rule here: Breach Notification Rule

Could it be that every time a doctor uses Gmail (or similar) to send a some medical information regarding even a single patient, maybe to a specialist, or even to the patient herself, that the doctor has caused a “breach”? While I am not a lawyer and certainly not providing any legal advice, it would seem to me that according to Geisinger, this action would be a breach.

How many doctors have some amount of PHI stored on their laptops? There were 221,000 laptops reported stolen in 23 months during 2008 and 2009 (Stolen Laptops). How many more are lost or never reported. Any unencrypted laptop containing even a single report of patients’ names along with even some minor PHI would almost definitely be considered a breach.

This rule also requires, even a one doctor operation, to have written policies and procedures regarding what the practice would do in the event of a breach, to train employees on these policies and procedures, and to document and apply appropriate sanctions against staff who do not comply with these policies and procedures. Thus, even without an actual breach, there are rules which must be followed and documentation which must be created.

Contact Micro Doctor your local technology experts for ways to prevent leaking PHI to personal unencrypted email accounts and unencrypted laptops.

Mark Richmond 330-898-2100 x 105

Thanks to Morris Stemp for writing this informative article.

Posted via email from Micro Doctor's Blog Central

Leave a comment!

You must be logged in to post a comment.