LAW OFFICE OF BRIAN GARVES

Don't Panic!

First, investigate the situation.  The HIPAA Privacy Officer needs to be notified so that the Officer can conduct the investigation as soon as reasonably possible.  Don't drop everything to do the investigation, but don't let it sit for a couple days either.  Letting the matter sit means that memories will not be as good, people may not be available and, if the disclosure was by an employee, that time allows the employee time to think up an excuse or other story to justify what happened or try to avoid looking bad.  Here are some questions to ask in the investigation?

• How did the disclosure occur?

• Who disclosed the information?

• What information was disclosed?

• Was the disclosure by an employee?

• Was the disclosure intentional or inadvertent?

• Who got the disclosed information?

• Who did that person tell or further disclose the information to?

• Does the patient/client know about the disclosure?

Second, work on improving your procedures and processes to see if future disclosures can be avoided. 

Don't overreact, but is there some way to avoid this happening again?  As one hospital stated in its policies:

The premise of the policy is that breaches of security, confidentiality and hospital policies and procedures may occur despite security and confidentiality protections. Early detection and response to such breaches is critical to stop any such breach, correct the problem and mitigate any harm.

 

Third, should the patient be told of the disclosure?  This depends on the situation and the potential harm to the patient.  HIPAA does not require that the patient be told; however, it does require that documentation of any disclosure be made and since this was a disclosure (regardless of authorized or unauthorized) it needs to be documented in the patient's record.  The facility is obviously free to tell the patient if it so chooses, but there is not requirement to tell.

The facility's investigation should look at the issue of whether the patient should be told because of potential harm to the patient.  Let's say sensitive information, like the patient having AIDS, is disclosed and gets out to the public.  The patient may need to be told to the extent that some "vigilante-types" may harm him.  However, to the extent that the disclosure is limited to within the facility such that the people who received the information (they were told by the discloser) are told that the information must be kept confidential, then the situation likely has been limited or stopped.  In this circumstance, the patient would probably not need to be told.
 

Fourth, the employee needs to be disciplined.  An inadvertent disclosure is going to be handled differently than an intentional one.  It is important and imperative that an employee intentionally disclosing information or even just looking in a chart that they person has no authorization to look at, must be disciplined significantly and consistently.  You will want to show your employees that confidentiality is important and if disclosers are not punished, they will handle confidentiality carelessly.  In order to prevent a discrimination, harassment or unlawful termination suit, it is important that similar disclosure infractions be handled consistently.