HIPAA Breach, your ePHI, but you didn’t send the email: you may be liable anyway!
This HIPAA Breach question was forwarded to me recently: “Is this a HIPAA Breach on his part? We recently had an employed physician leave our practice. He formed another corporation and is opening his own practice. Subsequently he sent out a pan email to some of his patients (1000-1200) and some of our patients (150) unblinded. The email identified them as active patients in the original practice with his notice of new business and a PDF file on how to request records from our practice. We became aware of this through several of our patients’ notification and frustration over his email with their personal information being present and being identified as patients to a large group of other people.”
“Further, it appears he obtained the patient list and emails from a prior vendor we had used to develop a website. The relationship was between us and the Website/marketing company. Is this a HIPAA breach to have obtained the contact information through a vendor who he did not have a relationship?”
My reply to this HIPAA Breach question.
An initial qualifier: we are not attorneys and cannot give legal advice. My comments below represent our understanding of the HIPAA Breach regulations; you may need to consult an attorney if/when your patients file a complaint with the Office of Civil Rights (OCR) of HHS and their enforcement of HIPAA Breach privacy regulations.
We advise people to approach email conservatively, arguing that even the disclosure of a person being a patient at a certain type of physician specialty practice could be considered PHI. Your account of complaints from some patients validates that concern.
This is a HIPAA Breach!
From your description, it sounds like both the website/marketing company and your former employed physician may have made unauthorized disclosures of PHI, or at least confidential information like email addresses (which are considered confidential in some states). Hopefully you have a Business Associate Agreement (BAA) with your website/marketing company that calls upon them to take action (at your direction) to report a HIPAA Breach and/or notify affected patients. Even in the absence of a written BAA, the website/marketing company is your Business Associate, and they are required to comply with the HIPAA Breach notification provisions, at your direction. You may also have a contractual dispute with the website/marketing company if they disclosed information to your previously employed physician without your permission.
The Magnitude of the HIPAA Breach.
The PHI disclosure here is also important since it exceeds the threshold of 500 persons where notification to media is required, as well as individual notification. You should conduct a HIPAA Breach Assessment and consider these factors:
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- Whether the protected health information was actually acquired or viewed;
- The extent to which the risk to the protected health information has been mitigated.
One problem with this situation is that you have no control over further distribution of the information since it went via email to so many people.
HIPAA Breach: what to do once it occurred.
You cannot enforce HIPAA regulations with respect to an outside party like your former employee; most HIPAA Breach complaints have to be filed with the Office of Civil Rights, which investigates and enforces the regulations. You may consider reporting an unauthorized disclosure to the OCR, but keep in mind if/when they get around to investigating it, they will also look at your organization and your Policies & Procedures on protecting PHI, your HIPAA Breach policies, if you have business associate agreements, and other HIPAA requirements. An investigation would also likely extend to the website/marketing company, assessing how they prevent unauthorized disclosures. You should consult with your cyber insurance carrier to understand your coverage for these types of situations. You may also have damages caused by your former employed physician.
We are sorry you are dealing with such a situation. It is an object lesson on protecting PHI, even when you think everyone you are dealing with is trustworthy.