Home Care Law Blog Gilliland & Markette LLP

3905 Vincennes Road
Suite 204
Indianapolis, IN 46268
Phone: (317) 704-2400
Fax: (317) 704-2410

Yet another disclosure where policies were not followed

Posted by: Robert Markette
October 30, 2006

I meant to mention this article last week, but last week was rather hectic around the office.  Nevertheless, I wanted to mention the story in last weeks Indianapolis Star regarding yet another incident of patient information being misplaced.  For those of you outside Indianapolis, one of the major hospital systems in town recently reported an incident involving the protected health information of about 260,000 patients.  This case was not the result of employee inadvertence, but business associate inadvertence.

The hospital had contracted with a consulting company to assist them with patient billing matters.  One of the consultant’s employees downloaded the names and billing information of 260,000 patients onto a number of CDs.  Apparently, this was done so that the contractor could work on the project without being at St. Francis.  The contractor purchased a new computer bag and placed her laptop and the CDs in the bag.  The contractor later returned the computer bag to the store, but left the CDs in the bag.

Luckily, the person who later purchased the bag and found the CDs contacted St. Francis and returned the disks.  It turns out that the information on the disks was not encoded, as was required by both the hospital and the business associates policies and procedures.

Again, having policies and procedures in place does you no good if your employees do not follow them.  In this case, the business associates policies do you no good if their employees do not follow them.  Of course, as a covered entity, you are required to obtain certain assurances in writing from your business associates, but you are not required to police their compliance with either the business associate contract they signed, their policies and procedures, or your policies and procedures.

Unfortunately, this is not a point your patients are likely to care about.  Whether the disclosure is your fault or your business associate’s, your patients are going to be concerned that their information was disclosed.   

The article mentions that business associates should never be able to download that much information, but if you use a third party to submit your claims to Medicare, Medicaid, or insurance, the business associate may very well receive information regarding all of your patients each billing cycle.  The key is going to be how do you get that information to them each month.  For other contractors, you should ask some very thorough questions if the contractor is going to be downloading large volumes of information.   Remember, you are supposed to use and/or disclose the minimum amount of protected health information necessary for the purpose of the use or disclosure.

I would suggest that your privacy officer be involved in the process to determine what is the minimum necessary amount of PHI.  You should have your employees download the information for the business associate.  This will ensure that your policies and procedures are followed.  While you still cannot guarantee the business associate will not make a mistake, you can at least demonstrate that you did everything in your power to keep the information secured, after having made a specific assessment of the need for the disclosure.

You might also consider language in a business associate agreement that would require the business associate to indemnify you for costs incurred from responding to an unauthorized disclosure of PHI or EPHI.  (Because responding can be costly.)

I should mention that HIPPA does not require any kind of “finding” before you disclose to a business associate, nor does it require special procedures to disclose to a business associate.  Frankly, it does not specify how you implement the standards.  These suggestions are aimed not just at HIPAA compliance, but also at providing you with a means to respond to the bad PR resulting from an unauthorized disclosure of PHI.

         

News

Health Care

[08/15] Catalyst Pharmaceutical Partners Reports Second Quarter 2008 Financial Results
[08/15] Salmonella outbreak winds down; questions remain
[08/15] 6 get Legionnaires' disease in upstate NY; 1 dies
[08/15] NYC heroes lift bus off pregnant woman; baby saved
[08/15] NYC heroes lift bus off pregnant woman; baby saved
[08/15] Former half-ton man endures hard times in Nebraska
[08/15] AP Interview: Doctor behind executions speaks out
[08/14] University Hospitals Receives $22.6 Million Donation from Harrington and McLaughlin Families
[08/14] The National Kidney Foundation's 7th Annual Ronald D. Paul Companies Kidney Walk to be Held on Saturday, September 20
[08/14] Best Practice Database adds Research on New Product Launch
Read More

Web Resources

FindLaw
Thomson West
U.S. Courts
Westlaw
United States Chamber of Commerce
FirstGov
Legislative Branch
Library of Congress
White House
Internal Revenue Service
National Weather Service
Yahoo!Maps
YellowPages.com
New York Times
Newspapers Online
USA Today
Wall Street Journal
AOL
Google
Yahoo!Legal Blog Directory  

The information you obtain at this site is not, nor is it intended to be, legal advice. You should consult an attorney for individual advice regarding your own situation.

Copyright © 2008 by Home Care Law Blog Gilliland & Markette LLP. All rights reserved. You may reproduce materials available at this site for your own personal use and for non-commercial distribution. All copies must include this copyright statement.