I am looking for advice from anyone who might have had a similar incident…
A patient was given a CD with radiology images to take to a doctor's office out of town. Unfortunately, the CD contained another patient's images. The doctor's office, instead of destroying the CD, gave the CD back to the patient and the patient's significant other (SO), because they said they were going to return the CD to the hospital. The patient's significant other contacted the hospital to let the Radiology Director know of the incident. A meeting was scheduled with the patient's significant other and the patient's SO was asked to bring the CD to the meeting. The SO did not have the CD at the meeting and is refusing to return the CD without financial compensation.
The actual patient called about the CD to see what could worked out. The patient was advised, as per our attorney, there was no process under the privacy regulations that would award any financial compensation for the PHI. The patient threatened to view the images on the CD and call the person whose images are on the CD so that patient could file a lawsuit. The patient said they were not holding the CD for "ransom", but needs to figure out how much money they were out for all of this. The patient said their salary should be compensated because of a delay in treatment and there should be compensation for the error. The patient was again asked for return of the CD at which time the SO took the phone and said they would be waiting to hear from the CEO and hung up.They are have not specified the exact amount of compensation they want, but will not return the CD until an amount suitable to them is reached.
We are going to report this as a breach. We do not know whose images are on the CD. The patient and SO mentioned the type of images and our Radiology Director, if they are correct, thinks he may know whose images they are. What do we do about patient notification in that case?
Should we report the doctor's office who gave the CD back to the patient instead of destroying the CD? Would that be a breach on their part?
What recourse do we have since the patient and significant other essentially are in possession of "stolen property" and are demanding financial compensation for return of the CD?Any advice would be greatly appreciated!!!!
Nightmare for privacy officers – I would let your hospital attorney direct what happens next – assume that the attorney could threaten patient and SO with a lawsuit for being in possession of PHI that does not belong to them. I would think you include, as part of your report on the OCR website, details about the CD being given back to the patient by the other covered entity, but I would think the original breach responsibility does lie with the hospital who gave the wrong CD to the patient in the beginning. I would confer with the attorney about contacting "who you think the other patient might be"........I would certainly rather they hear the story from me vs the patient and SO, but if you can't be sure whose information is on the CD, that might not be the wisest approach – would let attorney help make this decision. Keep us posted......
Wendy Mangin, MS, RHIA
Executive Project Director – Regulatory Compliance/Privacy Officer
520 S. Seventh St. | Vincennes, Indiana | 47591
Hospital: 812.882.5220 | Direct: 812.885.3487
Fax: 812.885.3912 | email@example.com
Website | Videos | News | Events
WRONGFUL DISCLOSURE OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION
Sec. 1177. [42 U.S.C. 1320d–6] (a) Offense.-A person who knowingly and in violation of this part-
(1) uses or causes to be used a unique health identifier;
(2) obtains individually identifiable health information relating to an individual; or
(3) discloses individually identifiable health information to another person,
shall be punished as provided in subsection (b). For purposes of the previous sentence, a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity (as defined in the HIPAA privacy regulation described in section 1180(b)(3)) and the individual obtained or disclosed such information without authorization.
(b) Penalties.-A person described in subsection (a) shall-
(1) be fined not more than $50,000, imprisoned not more than 1 year, or both;
(2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and
(3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.