A few thoughts on HIPAA
Real case scenario. A health care provider’s car gets broken into and private health information (“PHI”) is stolen, along with other items. Next steps? Once the provider determines that a breach of unsecured PHI has occurred (an incidental disclosure of PHI does not constitute a breach), the provider should perform a risk assessment to determine whether the event poses a significant risk of financial, reputational or other harm to the patient.
Under the scenario above, the disclosure is not incidental and a crime has already occurred. There is a reasonable likelihood that the criminal may pose a significant risk of financial, reputational or other harm to the patient, since the thief could carelessly discard the PHI or use it to take advantage of the patient’s identity.
The next step is notification of the patient(s) and the government. The HIPAA regulations provide direction regarding the timing and content of the notice.
Finally, the provider should make changes in its policies and procedures to assure that similar incidents do not occur in the future. The first change that comes to mind in this scenario is a policy that PHI is never left in a health care provider’s car. Government fines for HIPAA breaches can be hefty, but an appropriate, documented response to a breach can be beneficial in fine negotiations.