Health Information Technologies and Processes

breaches and exposures 101--Please help!!!

  • 1.  breaches and exposures 101--Please help!!!

    Posted 23 days ago

    Hello -

    I began working as the compliance officer for a clinic system.  I just started a few months ago, and found the organization has no software, no forms, no letter templates.  The coding auditing piece is not new to me, but the role as the privacy/security officer is.  I have several questions following a situation where a staff member mail a patient the wrong information.  The wrong patient brought in the paperwork, and it was placed in the shred bin.  Here are my questions:

    1.  Is this a breach?  In Section 164.404, it reads as though low probability that protected health information has been compromised based on the fact that the person returned the document, and we have coached the responsible staff person accordingly.

    2.  Do I have to do a risk assessment on every small, even incidental disclosure?

    3.  If so, what do I use?   I tried to use the HHS form I saw folks mention, but it asks for organization specific detail and doesn't allow you to assess the breach.  Does anyone have a form?  

    4.  Does a breach of this nature require a communication to the patient?

    I'm sorry for so many questions, but want to make sure I understand



    ------------------------------
    Sarah Jackson
    Compliance Manager
    ------------------------------


  • 2.  RE: breaches and exposures 101--Please help!!!

    Posted 22 days ago

    Hi Sarah,

     

    It is a yes to all your questions. However, we use an electronic system to document everything. I can ask our Corporate Compliance department how they track them if that helps. I will let you know.


    Thanks,

    Karla

     






  • 3.  RE: breaches and exposures 101--Please help!!!

    Posted 22 days ago

    Hi Sarah, can you send me your work email or email me at kviruet@valleyhealth.com? I have a sample tracking spreadsheet for you.


    Karla

     






  • 4.  RE: breaches and exposures 101--Please help!!!

    Posted 22 days ago

    I agree with Aurae.  There has also been some revisions to 42 CFR and you must have specific consent to release substance use records.  I definitely would have specific auth for mental health and/or substance use releases.

     

    Lynn Boyes, RHIT

    Health Information Management Director,

    HIPAA Privacy Officer

    7010 S. Yale Ave | Tulsa, OK 74136
    lboyes@crsok.org 918.236.4135 direct line

    918.499.1598 fax

    Website Facebook  Twitter LinkedIn | Instagram

     

    A close up of a logo  Description generated with very high confidence

     

     

     






  • 5.  RE: breaches and exposures 101--Please help!!!

    Posted 21 days ago
    Attorneys I have worked with are very cautious about the word breach and definitely do not label every situation as a breach.  Based on what you are describing below, I would say no; probably not a breach.   However, it does look like you need to put in place some quality control checks to reduce the probability of this happening again.

    I would not conduct a risk assessment on everyone.  However, identify a random sample to review prior to being mailed.  Maybe weekly.  This would depend on your volume.

    Yes, the patient should be told.

    ------------------------------
    Chris Ordonia, MPH, RHIA, CPHQ
    ------------------------------



  • 6.  RE: breaches and exposures 101--Please help!!!

    Posted 21 days ago
    We treat all unauthorized disclosures as a potential breach and conduct a risk assessment.  
    Whether you determine it is a breach or not I would notify the patient including what you are doing to reduce the chance for this type of incident occurring again in the future.

    Lynn Boyes, RHIT

    Health Information Management Director,

    HIPAA Privacy Officer

    7010 S. Yale Ave | Tulsa, OK 74136
    lboyes@crsok.org 918.236.4135

    918.494.9870

    Website Facebook Twitter LinkedIn | Instagram