Health Information Technologies and Processes

Unaccounted for PHI sent on CDs

  • 1.  Unaccounted for PHI sent on CDs

    Posted 21 days ago
    Here's a scenario "inspired" by a question someone sent me.  Curious to see what people may think on the answer to the question of whether the scenario indicates that a breach has occurred.

    Scenario:
    Covered Entity addresses a package containing PHI on unencrypted CDs to the correct address of the individual requesting access to PHI.  Note that the individual specifically asked the CE to send CDs that were not encrypted.  The package was sent by FedEx and delivered to the individual's address.  The FedEx driver knocked on the door and then left the package on the ground next to the door.

    Monday, the individual calls the CE and asks for an update on the requested CDs and the individual is informed that the CDs were delivered by FedEx on Saturday and that the FedEx driver left the package by the front door.  The individual informs the CE that he/she never received the package.

    Feel free to share reasons on why this may be a breach or why this may not be a breach.

    ------------------------------
    Frank Ruelas
    Compliance Professional
    Arizona
    ------------------------------


  • 2.  RE: Unaccounted for PHI sent on CDs

    Posted 20 days ago
    There is a lot that we have to assume with this request but assuming that they let the patient know the risk of the request, and assuming they followed the explicit instructions of the patient then it's not a breach.
    --
    Thanks Kris

    Kris Lundell MBA,  CIPP/US, CiPT, CHP, CHPS, HCISPP
    Privacy and Security Consultants LLC





  • 3.  RE: Unaccounted for PHI sent on CDs

    Posted 20 days ago
    Thanks Kris...let's see if we get any other responses.  For the sake of this example, we can treat as a given that the CE did what was required in fulfilling its duty to warn the individual of the risks associated with unencrypted CDs.

    ------------------------------
    Frank Ruelas
    Compliance Professional
    Arizona
    ------------------------------