Confidentiality, Privacy & Security

Breach/Refusal to Return PHI

Donna Grindle, Bachelor of Science in Computer Science,CHPS, CHPC02-07-2019 08:34

  • 1.  Breach/Refusal to Return PHI

    Posted 02-05-2019 17:46

    I am looking for advice from anyone who might have had a similar incident…

    A patient was given a CD with radiology images to take to a doctor's office out of town.  Unfortunately, the CD contained another patient's images.  The doctor's office, instead of destroying the CD, gave the CD back to the patient and the patient's significant other (SO), because they said they were going to return the CD to the hospital.  The patient's significant other contacted the hospital to let the Radiology Director know of the incident.  A meeting was scheduled with the patient's significant other and the patient's SO was asked to bring the CD to the meeting.  The SO did not have the CD at the meeting and is refusing to return the CD without financial compensation.

    The actual patient called about the CD to see what could worked out. The patient was advised, as per our attorney, there was no process under the privacy regulations that would award any financial compensation for the PHI.  The patient threatened to view the images on the CD and call the person whose images are on the CD so that patient could file a lawsuit.  The patient said they were not holding the CD for "ransom", but needs to figure out how much money they were out for all of this. The patient said their salary should be compensated because of a delay in treatment and there should be compensation for the error.  The patient was again asked for return of the CD at which time the SO took the phone and said they would be waiting to hear from the CEO and hung up.

    They are have not specified the exact amount of compensation they want, but will not return the CD until an amount suitable to them is reached.

    We are going to report this as a breach.  We do not know whose images are on the CD.  The patient and SO mentioned the type of images and our Radiology Director, if they are correct, thinks he may know whose images they are.  What do we do about patient notification in that case?

    Should we report the doctor's office who gave the CD back to the patient instead of destroying the CD?  Would that be a breach on their part?

    What recourse do we have since the patient and significant other essentially are in possession of "stolen property" and are demanding financial compensation for return of the CD?

    Any advice would be greatly appreciated!!!!

  • 2.  RE: Breach/Refusal to Return PHI

    Posted 02-05-2019 17:59
    In the Ahima Introduction to health information privacy and security Second edition they explain well the relation to HIPAA violations and HITECH  prosecution

    Section 1177(a) of the Social Security Act addresses criminal penalties associated with the wrongful disclosure of individually identifiable information. HITECH amends this and clarifies that a person, including an employee or other individual, may be criminally prosecuted for HIPAA privacy and security violations.

    The patient and significant other fall under willful neglect(Intentionally failing to comply or being recklessly indifferent) which could be costly since they know it is not their information and are threatening to use the information for profit.

    Kris Lundell
    Privacy Officer

  • 3.  RE: Breach/Refusal to Return PHI

    Posted 02-06-2019 07:42

    Nightmare for privacy officers – I would let your hospital attorney direct what happens next – assume that the attorney could threaten patient and SO with a lawsuit for being in possession of PHI that does not belong to them.  I would think you include, as part of your report on the OCR website, details about the CD being given back to the patient by the other covered entity, but I would think the original breach responsibility does lie with the hospital who gave the wrong CD to the patient in the beginning.  I would confer with the attorney about contacting "who you think the other patient might be"........I would certainly rather they hear the story from me vs the patient and SO, but if you can't be sure whose information is on the CD, that might not be the wisest approach – would let attorney help make this decision.  Keep us posted......


    Wendy Mangin, MS, RHIA

    Executive Project Director – Regulatory Compliance/Privacy Officer


    Good Samaritan 

    520 S. Seventh St. | Vincennes, Indiana | 47591

    Hospital: 812.882.5220 | Direct: 812.885.3487 

    Fax: 812.885.3912 | 

    b326b5f8d23cd1e0f18df4c9265416f7  images   Website | Videos | News | Events


  • 4.  RE: Breach/Refusal to Return PHI

    Posted 02-07-2019 14:29
    Hi Kayla:

    I agree with what the all others stated.  You might check with your imaging PACS IT system analyst and see if they can identify the other patient's images that were downloaded in error.

    Marcia Matthias
    Corporate Director Health Information/Privacy Officer
    Southern Illinois Healthcare

  • 5.  RE: Breach/Refusal to Return PHI

    Posted 02-06-2019 08:36
    I suggest the following steps be taken at a minimum:
    1. Prepare a Certified letter for the patient indicating that they have PHI and request the immediate return of it.
    2. Indicate and cite the regulation that holds them accountable for protecting the PHI.
    3. Provide a postage paid CD case in the letter.
    4. In a separate envelope, send them their own radiology CD.
    5. Provide the 'referring physician' with the needed images for the patient.
    6. Purchase and provide a gas card for the mileage to and from the referring physician office.

    Certainly the case is reportable, even without the patient name, and it should be reported as soon as possible so that you are the first to report it. When you obtain the patient name on the CD that was inadvertently released, notify that patient as well.

    Denise Van Fleet, Program Coordinator, Bachelor Him Rasmussen College
    Former HIPAA Privacy Officer

  • 6.  RE: Breach/Refusal to Return PHI

    Posted 02-06-2019 10:21
    I'd recommend you engage law enforcement asap, that is stolen property.

    Kelly McLendon, RHIA, CHPS
    Managing Director
    CompliancePro Solutions

  • 7.  RE: Breach/Refusal to Return PHI

    Posted 02-06-2019 22:40
    Edited by Michelle Green 02-06-2019 22:41
    For your convenience, here is the statute that was referenced in one of the answers. (I realize the patient did not knowingly obtain PHI about that other patient originally; however, she and her husband most certainly now know that they have the other patient's PHI because theya re refusing to return it.) And, I agree with Kelly McLendon that the hospital attorney should contact law enforcement, too.


    Sec. 1177. [42 U.S.C. 1320d–6] (a) Offense.-A person who knowingly and in violation of this part-

    (1) uses or causes to be used a unique health identifier;

    (2) obtains individually identifiable health information relating to an individual; or

    (3) discloses individually identifiable health information to another person,

    shall be punished as provided in subsection (b). For purposes of the previous sentence, a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity (as defined in the HIPAA privacy regulation described in section 1180(b)(3)) and the individual obtained or disclosed such information without authorization.

    (b) Penalties.-A person described in subsection (a) shall-

    (1) be fined not more than $50,000, imprisoned not more than 1 year, or both;

    (2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and

    (3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.

    Michelle A. Green, MPS, RHIA, FAHIMA, CPC
    SUNY Distinguished Teaching Professor
    Mohawk Valley Community College
    Utica NY

  • 8.  RE: Breach/Refusal to Return PHI

    Posted 02-07-2019 08:34
    I believe law enforcement should be notified ASAP. The way they obtained the PHI was through simple human error.  What they are doing with it afterwards is essentially criminal blackmail.  Let law enforcement sort it out. There is a good chance they will turn it over once the police show up.  

    You should also also report to HHS ASAP. You can include all of the details and let them sort out what to do with the other practice. You can then amend the report with the patient name later.  This way you also get them involved and they have the option to defer to DOJ for criminal charges also. Plus if there is any complaint about it by others you have more documentation that you have done everything you can.

    Good luck!  Would love to know how it turns out. 

    Donna Grindle
    Founder and CEO, Kardon
    Co-host, Help Me With HIPAA podcast

  • 9.  RE: Breach/Refusal to Return PHI

    Posted 02-07-2019 18:27
    I greatly appreciate everyone's input and advice.  This has been such a terrible situation to deal with over the last several days.  We have notified the patient and a letter will also be sent to the patient, certified, tomorrow.  I will be reporting this as a breach to the OCR.  As far as law enforcement, our attorney is still reluctant.  At this point, he is afraid this may cause the person in possession of the CD to do something even more unethical because we will not pay the ransom.

    Thank you again for taking time to post, I always appreciate your input and advice!

    Kayla Hill, RHIA
    Director of Health Information/Privacy/CDI

  • 10.  RE: Breach/Refusal to Return PHI

    Posted 02-07-2019 20:26
    ​For me, much like a hostage situation, I see no good reason to cooperate with a hostage taker. They have no reason to follow through with their side of the "bargain". Probably why I'm not a negotiator.

    However, I hope the situation gets clearer for you and your staff. I don't even want to imagine having to deal with it.

    I did have a question though. While courtesy may have suggested the other clinic at least calling you, confirming if the information was supposed to go to the other patient, especially when dr realized they submitted it, and it wasn't theirs as they said:

    are there any actual legal/HIPAA ramifications for that doctor returning the disc to that person?

    Cody Todd, RHIT
    Health Info Svs Technician
    Mercy Hospital Springfield

  • 11.  RE: Breach/Refusal to Return PHI

    Posted 02-07-2019 21:43
    Kayla, I am going to be very interested in learning how all of this resolves, even if it's a year from now.


    Michelle A. Green, MPS, RHIA, FAHIMA, CPC
    SUNY Distinguished Teaching Professor
    Mohawk Valley Community College
    Utica NY

  • 12.  RE: Breach/Refusal to Return PHI

    Posted 02-07-2019 22:04
    I think we  are all eager to learn the outcome. I personally do not see this as a theft, since it was given to them. They should just be nice!
    Thanks for sharing!