Confidentiality, Privacy and Security

Unaccounted for PHI sent on CDs

  • 1.  Unaccounted for PHI sent on CDs

    Posted 21 days ago
    Here's a scenario "inspired" by a question someone sent me.  Curious to see what people may think on the answer to the question of whether the scenario indicates that a breach has occurred.

    Covered Entity addresses a package containing PHI on unencrypted CDs to the correct address of the individual requesting access to PHI.  Note that the individual specifically asked the CE to send CDs that were not encrypted.  The package was sent by FedEx and delivered to the individual's address.  The FedEx driver knocked on the door and then left the package on the ground next to the door.

    Monday, the individual calls the CE and asks for an update on the requested CDs and the individual is informed that the CDs were delivered by FedEx on Saturday and that the FedEx driver left the package by the front door.  The individual informs the CE that he/she never received the package.

    Feel free to share reasons on why this may be a breach or why this may not be a breach.

    Frank Ruelas
    Compliance Professional

  • 2.  RE: Unaccounted for PHI sent on CDs

    Posted 20 days ago

    My thinking is this would not be considered a breach as the PHI was delivered to the appropriate location, as verified by FedEx.....what happens to it after that should not be the responsibility of the facility.......


    Wendy Mangin, MS, RHIA

    Director of Corporate Compliance


    Good Samaritan 

    520 S. Seventh St. | Vincennes, Indiana | 47591

    Hospital: 812.882.5220 | Direct: 812.885.3487 

    Fax: 812.885.3912 | 

    b326b5f8d23cd1e0f18df4c9265416f7  images   Website | Videos | News | Events