Q. We inadvertently sent a clinical note to the wrong healthcare provider. Must we conduct a risk analysis of this disclosure even if is not a reportable breach? We documented the inadvertent disclosure in the patient’s electronic health record, but must we do more?
A. Your documentation should include a brief risk analysis, such as: “Minimal risk of harm to patient because information was disclosed to another staff physician, who also must comply with privacy regulations.”
Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, a nationally recognized expert on patient privacy, information security, and regulatory compliance, answered this question. Brandt is associate executive director of HIM at Scott & White Healthcare in Temple, TX. Some of her publications were used as a basis for HIPAA privacy regulations. Advice given is general. Readers should consult professional counsel for specific legal, ethical, or clinical questions.