By Clifford Warren Lober, MD, JD, February 03, 2014
Bryan returns from lunch expecting a quiet afternoon. His receptionist tells him that Erin has been frantically trying to reach him. Bryan immediately returns Erin’s call.
Bryan: Erin, this is Bryan. How are you?
Erin: I really need your help. My nurse just told me that she tried to reach one of our patients, Ms. Roberts, to give her the results of a laboratory report. The patient did not answer her telephone, and her answering machine just said “Sorry we are not home. Please leave a message.” My nurse then left the report on the answering machine. This morning, however, we were called by a Mr. Echols who was quite upset and asked who Ms. Roberts was and why we left her test results on his answering machine! I suspect this is a violation of HIPAA.
Bryan: This type of violation, referred to as a breach, occurs when there is “acquisition, access, use, or disclosure of protected health information” in a manner not permitted by the HIPAA privacy rule. Under the most recent modification of HIPAA, which was effective last September, a breach is assumed to have occurred unless you can demonstrate “a low probability that the protected health information has been compromised.” This determination must be based, at a minimum, upon the nature and extent of the information disclosed, the person to whom the disclosure was made, whether the information was actually acquired or viewed, and the extent to which the risk has been mitigated. In this case, the information was clearly acquired and the person to whom the disclosure was made is upset and may or may not agree to disregard the information.
Erin: What should I do now? [pagebreak]
Bryan: You should immediately inform your designated privacy official of the incident since that person is responsible for the implementation and oversight of your HIPAA privacy rule compliance program. Working with your privacy official, you should first speak to your nurse and find out exactly what information was left on the answering machine. You should then minimize the damages by calling Mr. Echols and explaining that your nurse mistakenly reached his answering machine instead of an intended patient. Ask him to please erase and disregard the message. He may be more understanding if you apologize for any inconvenience or aggravation this may have caused him and assure him that you are taking steps to avoid this type of situation in the future.
Erin: What should I tell the patient?
Bryan: You should send a certified letter to the patient without unreasonable delay, but not later than 60 days after your discovery of the incident. The letter should inform her of what happened, including the date of the occurrence and a description of the information your nurse left on the answering machine. You should also tell Ms. Roberts of steps that she should take to protect herself from any potential harm, what you are doing to minimize any possible harm to her, and steps you are taking to prevent recurrences of this type of incident. Alternatively, since fewer than 10 patients were involved, you could contact her by telephone. But I would prefer having you contact her by certified mail to better document your good faith attempt to inform her.
Erin: Do I need to inform anyone else?
Bryan: You must notify the Secretary of the Department of Health and Human Services annually of any breach involving less than 500 individuals. If 500 or more patients had been involved, the notification requirements would have been far stricter. Be sure to enter the information on your Breach Notification Log, which is part of your HIPAA compliance manual. You should also notify your insurance company since you have a duty to notify them of adverse incidents. [pagebreak]
Erin: Do you mean my medical malpractice insurer?
Bryan: Some malpractice policies provide coverage, although often limited, for the defense of an alleged HIPAA violation. More importantly, do you remember that I recommended that you purchase regulatory liability insurance? That almost always covers HIPAA and state regulatory compliance issues. Please send me copies of these insurance policies and I will review them for you.
Erin: How bad could a penalty be?
Bryan: It depends. If your nurse did not know this type of action was a violation of HIPAA and by exercising reasonable diligence would not have known, the penalties range from $100 to $50,000 per violation. If the violation was due to reasonable cause and not willful neglect, penalties range from $1,000 to $50,000. The latter seems to be the case in this instance. However, if the violation had been due to willful neglect, which is clearly not the case here, the penalties start at $10,000 and, if not corrected, are $50,000 or more per incident. There is a maximum penalty of $1.5 million for repeated violations of an identical provision of HIPAA within a calendar year. Furthermore, if state privacy laws were violated, separate penalties may be assessed by the state.
Erin: Wow! I am sure glad I purchased the regulatory liability insurance you recommended. What should I do about my nurse who left the message?
Bryan: The HIPAA compliance manual we recently updated for your practice has explicit steps you should follow. Depending upon the severity of the breach and whether this individual has previously violated HIPAA or state privacy laws, your response may range from a verbal reminder to termination of employment. Document any action you take. Also make sure your designated privacy official is performing and documenting annual retraining of your entire staff on HIPAA privacy and security. [pagebreak]
Erin: You mentioned that this may also be a violation of our state privacy laws.
Bryan: That’s right. To the best of my knowledge, all states have privacy laws that govern the disclosure of protected health information. If these laws are stricter than HIPAA, the stricter state law must be followed. Alternatively, if state laws are not as strict as HIPAA, then HIPAA regulations take precedence. There are significant exceptions, such as in the case of minors, but none of these exceptions apply here. I will research our state privacy laws and let you know which state regulations apply to this situation.
Erin: Do you have any other advice?
Bryan: Yes. Remember that you must keep all documentation of this incident for six years. If you get any correspondence from the Office of Civil Rights, which is in charge of enforcing HIPAA, let me know immediately. Finally, please let me know how the conversation with Mr. Echols turns out.
If you have any suggestions for topics to be discussed in this column, please email them to me at firstname.lastname@example.org. See the February 2013 issue of Dermatology World for disclaimers.