Recent media focus on large data breaches involving laptop thefts or cyber hacking incidents has grown significantly, but basic incidents still abound and can pose greater threat to patients.
Recently, a conference attendee discussed an incident with our HIPAA Compliance Consultant, Kathryn Ayers Wickenhauser. The attendee’s practice had several checks disappear en route to the bank for deposit. The attendee questioned if this constituted a reportable HIPAA breach, because the checks were not necessarily written by patients, didn’t contain clinical information, nor did the practice know if the information had been seen or found by anyone.
It’s no surprise that clinic team members wanted to avoid labeling this as a breach. Labeling this as a breach would mean answering to many patients who would be justifiably angry. Further, because it was a batch of checks, it would require having to reconcile what payments were lost in the process.
Despite the instinct to turn and run, we must consider whether patient health information (PHI) is unsecured. The Office of the Inspector General (OIG) defines health information as any form or medium that:
- Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university or health care clearinghouse; and
- Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual.
We can garner that because at least some of these payments are for the provision of healthcare, it would be considered PHI. In addition, although not clinical data, checks have addresses, names, and phone numbers — all patient identifiers indicating a patient is involved with the clinic. If we are unaware of where the information is, we know the information is insecure and can safely determine that this is a breach.
As healthcare service providers, we have a duty to protect our patients. The root of HIPAA is to protect patients and maintain integrity. Although the checks may not include clinical information, or could have been for a purpose other than treatment, a batch of checks contain bank routing numbers, account numbers, names, and addresses on the check, allowing would-be thieves to write eChecks on the patient’s dime. If we are to assume that releasing an annual check-up to an uncovered entity is a potential risk to the patient, we can certainly presume that releasing access to one’s bank account could be a potential risk as well.
This blog was recently featured as a “Guest Blog” on The Compliance & Ethics Blog and is a finalist to be re-published as a magazine article in a 2016 edition of Compliance Today.