Q. What constitutes a privacy breach that requires notification to patients? Recently, a thief broke into an employee’s car and took her address/memo book. The book contained patients’ last names only and a medical ID number, or maybe first and last names with medical ID numbers, and an occasional note regarding the care or a question the patient asked. How should we handle this?
A. The American Recovery and Reinvestment Act of 2009 (ARRA) defines a breach as an unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of the information. This incident meets the definition of a breach under ARRA.
You can find additional guidance in the interim final rule for breach notification for unsecured PHI, which became effective September 23, 2009. It remains in effect as of press time, pending issuance of a new final rule (see related story on the rule sent to OMB). The interim final rule includes a harm threshold provision, which allows an organization to omit notification of affected patients if it determines that the use or disclosure poses no significant risk of “financial, reputational, or other harm” to the individual.
Although this incident does constitute a privacy breach, you must evaluate the information contained in the address book to determine whether a significant risk of harm exists. For entries that include only the patient’s name and medical record number, the risk is probably not significant. If the notes regarding care or questions asked reveal the patient’s diagnosis, the risk may be significant.
Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, a nationally recognized expert on patient privacy, information security, and regulatory compliance, answered this question. She is associate executive director of Health Information Management (HIM) at Scott & White Healthcare in Temple, TX. Some of her publications were used as a basis for the Health Insurance Portability and Accountability Act of 1996 privacy regulations.