Question: One of our physicians took patient charts to the hospital. Two of those charts were lost. They contained personal information such as Social Security numbers as well as the clinical notes.
What information should I send to the patients?
(Submitted by a New York manager – name withheld by request.)
Answer: Respond first with common sense, advises health care law attorney Jeanine Lehman of Austin, TX.
If the hospital has a lost-and-found department, contact it.
Also, contact the hospital’s medical record department, because many times folders left unattended are automatically sent there.
But whether the charts are found or not, the office still has to notify the patients. It also has to notify the government in its year-end report.
Here are the requirements
The general rule is this:
Security breaches are governed by HITECH, which is the Health Information Technology for Economic Clinical Health Act. It requires that HIPAA-covered entities notify patients, the government, and in severe cases the media when unsecured data is lost or stolen or used unlawfully.
Breach notification applies only to unsecured patient data, or data that can be read or used. Data that has been encrypted or destroyed doesn’t call for notification. It can’t be accessed, so there’s no security breach.
For breaches involving 500 or more patients, the office has to notify the government within 60 days.
With fewer than 500 patients, the office files a year-end report with the government.
Here’s what to tell the patients
As to when to notify the patients, the requirement is no more than 60 days after the discovery of the breach, Lehman says. And the notice has to be in writing.
As to what to tell those patients, give a short description of what has happened, the date it happened, and the date the office discovered it.
From there tell what type of information has been lost, perhaps the name, Social Security number, date of birth, home address, account number, diagnosis, clinical notes, disability information, and so on.
Then explain what the patients should do to prevent being damaged by the breach.
Most likely, the main concern is identify theft, she says, so the office should tell them to contact the main credit bureaus and see if protections can be added to their files.
The letter should also tell what the office is doing to investigate the breach, what it’s doing to mitigate any harm that could come to those patients, and what it’s doing to protect against future breaches.
Finally, it should give the name and phone number of a contact person for questions.
All that has to be “written in plain language” and mailed first class, she says. And if the danger is high and the matter urgent, the office should call the patients as well.
Also, Lehman says, exercise a little PR. For the sake of patient relations, make the tone of the letter personal and sympathetic.
“Let the patients know they are valued and that the office has empathy for their lost information” and regrets the inconvenience.
And here are some precautions
Lehman also points to safety precautions offices need to have in place, particularly for paper records. Keep in mind, she says, that it’s the breach reports that bring on the government’s HIPAA investigations.
• Evaluate the information that’s automatically included in the records and bills and take out whatever.
For example, if the office doesn’t use the Social Security number or date of birth as the patient ID, leave it off the record.
The same for the bill. If the Social Security number isn’t necessary for posting, take it off.
•If the office’s system allows, keep the ID information in a business file for billing purposes and the clinical information in a separate file with minimal ID information. Then if the treatment file is lost, only limited data is at risk.
• Put a label on the cover of any file that leaves the office saying “please return to (office name and phone number).”
• When a physician takes a record out of the office, make a copy of only the information needed and leave the original in the office. Besides minimizing the information that could be compromised, that ensures the office doesn’t lose clinical information “that can’t be replaced.”
• Encrypt any information that goes on laptops and thumb drives. Portable devices are “a big area for enforcement,” she says, because they are so easily lost or stolen.
• Set a procedure for checking files out and back in so the office always knows who had the file last.
• And to keep track of which files have been checked out, put a plastic or cardboard place marker in the slot when the record is filed. That not only identifies the records that are out but also makes it easier to refile them.
Three separate HIPAA questions
And here are three more questions.
First question: If the office loses records and finds them before taking any action, does it still have to notify the patients and report a breach?
Yes, Lehman says. The same rules apply whether the information is found or not. Tell the patients what happened – when the records were lost and when they were recovered and so on. And also report the loss to the government as a breach.
Second question: Can patients sue the office for privacy breaches?
Lehman’s response is that “there’s always a possibility somebody will sue.” However, if the patient has not suffered any damage because of the breach, the likelihood of getting sued is slim.
On the other hand, if the ID is stolen and the patient’s bank account gets emptied out, there’s some basis for suing.
Third question: What should the office do if it’s contacted by HIPAA about a violation?
The answer is simple. “Contact an attorney immediately.” And make sure it’s an attorney who has health law experience. Then let the attorney take the lead in everything the office does.
“The downside is huge,” she says. Penalties are now high to the point that they could ruin a practice. Get an attorney in early and set a policy that all inquiries go through that attorney. There’s no margin for error.
