Q: A patient who presented with an order from the primary care physician for lab work had also seen a specialist who ordered x-rays. Both physicians were entered into the system, and both received the laboratory test results and x-rays. The patient said this violated HIPAA because the specialist did not need the laboratory test results. Did this violate HIPAA?
A: Pursuant to the HIPAA Privacy Rule [45 CFR 164.502(b)(2)(i)], the minimum necessary standard does not apply when sharing patient information for treatment purposes.
The ultimate question is whether the specialist needed to see the laboratory results with respect to the care being provided. If the answer is yes, the disclosure did not violate HIPAA.
If the specialist should not have received the laboratory results, a breach-although not necessarily a reportable breach-may have occurred. This merits investigation because it would constitute a security incident. All security incidents should be investigated, regardless of whether a breach occurred.
You should investigate this incident. You are not required to notify the patient or OCR if you conclude upon investigation that the patient will not experience significant harm. Refer to 45 CFR 164.402.
You must document the investigation. Responding to the patient complaint and explaining that you are taking steps to implement practices to prevent future similar occurrences is advisable.
Work with the laboratory to the extent feasible to prevent transmission of PHI to providers without a "need to know."
Editor's note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Ore. answered this question, which first appeared in the May Briefings on HIPAA . Apgar has more than 17 years of experience in information technology; he specializes in security compliance, assessments, training, and strategic planning. Apgar is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy and Security Forum.