Companies that are the source of a data breach and want to provide identity theft prevention and mitigation services to affected individuals must do so for at least 12 months at no cost if the breach exposed or may have exposed personal information, according to the new law. California is the first state to impose such a law, according to The National Law Review.
The law also expands the range of businesses that are required to implement and maintain security procedures and practices to protect individuals’ personal information. Previously, businesses that own or license personal information about California residents were subject to the law, but now businesses that maintain personal information must comply as well. The law maintains that with certain exceptions a person or entity may not sell, advertise for sale, or offer to sell a person’s Social Security number. The law is effective January 1, 2015.
Submit your HIPAA questions to Editor Jaclyn Fitzgerald at firstname.lastname@example.org, and we will work with our experts to provide the information you need.
Q: I recently read about a breach involving a subcontractor hired by the Maryland Developmental Disabilities Administration (DDA) to mail the administration’s annual quality-of-life survey to individuals who receive DDA services. The postcards were not enclosed in envelopes, thereby disclosing to anyone who viewed them that the intended recipients received services from DDA, so the administration reported the breach. I work for a medical equipment company that sends customer satisfaction survey postcards in the mail as well. While the only PHI listed on our postcards is name and address, it is apparent that they received some type of service or equipment from us. Is this truly a HIPAA breach? Should I assume the breach is caused by U.S. Postal Service workers viewing the information on the postcards?
A: I do not recommend sending any information to patients via postcard. In addition to post office employees, the individuals’ family members and others who may pick up the mail will see the information. This risk is probably not worth taking to save a few pennies on postage. In Maryland, PHI pertaining to mental health may receive special protections, which makes the initial scenario you mention more concerning, but postcards are not a good idea in any case.
Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, vice president of health information for Baylor Scott & White Health in Temple, Texas, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.
The Colorado Department of Health Care Policy and Financing announced October 10 that it unintentionally exposed the PHI of approximately 15,000 behavioral health patients, according to a news release.
The department mailed survey postcards to patients receiving behavioral health services from Medicaid or the Department of Human Services’ Office of Behavioral Health. The survey asked patients to provide feedback about the behavioral health serviced they received, which is a violation of HIPAA because the postcard was not in an envelope and could be read by anyone, according to the news release. The postcards did not list patients’ Social Security numbers, but included the following:
- First and last names
- A return address for Thoroughbred Research Group, which helped conduct the survey
- The Colorado Department of Health Care Policy and Financing logo
The department learned about the incident September 9 and later notified affected patients by mail. The letter to patients states that the department mailed the postcards July 30 and September 3.
Submit your HIPAA questions to Editor Jaclyn Fitzgerald at email@example.com and we will work with our experts to provide the information you need.
Q: Are there any penalties for sending an unencrypted email containing PHI to the intended recipient? Would this just be a violation of the CE’s policy and not a privacy breach under HITECH?
A: HIPAA and HITECH tell us that every CE must perform a documented risk assessment (preferably annually) to determine the level of risk and how it will handle various privacy and security issues. (For more guidance visit www.hhs.gov/news/press/2014pres/03/20140328a.html.)
You should consider and document the risk of sending unencrypted PHI to patients via email in your risk assessment. More and more CEs are deciding that sending unencrypted emails to patients is not worth the risk it poses.
In addition to the security risk, there is the chance that the patient may email you in an emergency, and you may fail to respond in a timely way. There is also the possibility that email can be forwarded, copied, or altered. Email also presents retention issues as providers will not always print the email exchange for the actual patient record. Fortunately, many organizations are implementing patient portals that not only have encrypted messaging functionality but also retain the exchange in the record.
Editor’s note: Chris Simons, MS, RHIA, the director of HIM and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, New Hampshire, answered this question for HCPro’s Medical Records Briefing. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.
Nebraska Medical Center in Omaha recently fired two workers for inappropriately accessing the medical records of an American aid worker being treated for Ebola at the facility, according to the Associated Press.
An audit of the medical center’s EMR revealed that the employees violated Dr. Rick Sacra’s privacy by accessing his records without authorization. The medical center notified Sacra of the HIPAA privacy violation in person and in writing. He contracted Ebola while working in Africa and spent three weeks at Nebraska Medical Center where he was treated with an experimental Tekmira Pharmaceuticals drug called TKM-Ebola and later released. The medical center did not reveal why the employees accessed Sacra’s records, the Associated Press reported.