Confidentiality, Privacy and Security

Related to FedEx Question...US Mail...Happens More Often

  • 1.  Related to FedEx Question...US Mail...Happens More Often

    Posted 19 days ago
    Many thanks to those who shared their views on the FedEx question.  How about trying this one for sharing which takes us to a somewhat related scenario.  It involves the USPS.

    Scenario:
    Covered Entity sends PHI (example: printed copy) to a patient using a correctly addressed envelope:
    Patient Pete
    123 HIPAA Way
    Dallas, TX 75001

    The envelope clearly displays the patient's name in addition to the address and is marked on the outside as "confidential".

    The postperson is a bit busy on the day the mail is getting delivered and accidentally places the envelope at the incorrect address of Nosey Ned:
    123 HIPAA Drive
    Dallas, TX 75001 .

    Ned sees the envelope and also realizes that it is not addressed to him but opens it and reads the PHI just the same.  Ned then puts the PHI back into the envelope and marks on the outside of the envelope "Delivered to the wrong address - return to sender".  He drops the envelope into the mailbox at his local post office on his way to work.

    The next day, the letter is delivered to the Covered Entity that sent it out in the first place.

    Breach?  No Breach?

    ------------------------------
    Frank Ruelas
    Compliance Professional
    Arizona
    ------------------------------


  • 2.  RE: Related to FedEx Question...US Mail...Happens More Often

    Posted 19 days ago
    Hard for me to equate this with an unauthorized disclosure by the provider...

    ------------------------------
    Nancy Davis, MS, RHIA, CHPS
    Director of Compliance & Safety
    Door County Medical Center
    ------------------------------



  • 3.  RE: Related to FedEx Question...US Mail...Happens More Often

    Posted 19 days ago
    True...some people may not go the unauthorized disclosure route...but certainly we have an unauthorized acquisition by Nosey Ned...and that takes us down the path of a presumed breach.  As Rebecca shared...one can do a risk assessment...or if not, can move down the path of a presumed breach.  This is a good example because the scenario, in my opinion, represents two "impermissibles" and we only need one.

    Good feedback on this...glad to see people sharing.  Very helpful.

    ------------------------------
    Frank Ruelas
    Compliance Professional
    Arizona
    ------------------------------



  • 4.  RE: Related to FedEx Question...US Mail...Happens More Often

    Posted 19 days ago

    There is not enough information to make that determination.  We would do a risk assessment, look at the information that was disclosed, what steps were taken to mitigate harm, etc.

     

     

    Becky Kilen, MS, RHIA, CHPS

    GHS Privacy Officer | Manager of Privacy

     

    GUNDERSEN HEALTH SYSTEM 

    1900 South Avenue | Mail Stop:  AVS-001

    La Crosse, WI  54601

    Phone:  (608) 775-3549 | Fax:  (608) 775-4706

    rakilen@gundersenhealth.org

     

    Privacy Office: (608) 775-7439 | PrivacyOffice@gundersenhealth.org

     

    http://connect.gundluth.org/hipaa/home

     

     

    CONFIDENTIALITY NOTICE:

    This email message, including all attachments, is for the sole use of the intended recipient (s) and may contain confidential and privileged information. If you are not the intended recipient, you may NOT use, disclose, copy or disseminate this information. Please contact the sender by reply email immediately and destroy all copies of the original message including all attachments.

     






  • 5.  RE: Related to FedEx Question...US Mail...Happens More Often

    Posted 19 days ago
    Edited by Ted Markovich 19 days ago
    This scenario assumes we know too much. The postal carrier's mistake would never be discovered. The returned parcel would be a mystery because the address as originally referenced IS correct. Breach in theory I suppose but try and prove it.

    Sent from Yahoo Mail on Android