Identifying routine disclosures is key to safeguarding patient PHI
During what Jersey City Medical Center called “a part of routine hospital operations,” an employee sent a UPS package containing
It’s costly when a CD of patient information is lost… both to your patients — and to you. What protections do you have in place? You’ll need them during an audit.
to a company engaged by the New Jersey State Medicaid program. The patient information on the CD was required by the state so they can review payments. The package, sent on June 13, 2014, never made it to its destination and is presumably lost in transit.
The exact number of patients whose information have been affected has not yet been disclosed, but the Medical Center did state in a release on its website that social security numbers, date of birth, internal Medical Center record number, and some additional information from patient visits was included on the CD for a majority of those patients affected. This additional information included admission and discharge dates, designation as an outpatient or inpatient, amount of charges incurred and amounts paid, the name of health insurance payers, number of days the patient received care, general type of claim and revenue code. This information did not include patient addresses or personal contact information, or detailed information about the medical care the patient received.
Jersey City Medical Center is busy sending letters to the affected patients. Although UPS has no evidence that the patient information has been accessed or misused by anyone, the hospital is offering affected patients 12 months of complimentary professional identity monitoring services.
Jersey City Medical Center, is operated by LibertyHealth and is the region’s state designated trauma center. The hospital was recently named recently named as New Jersey’s best hospital in its size category by licensed physicians throughout the state for a second consecutive year. The hospital, according to its website release, has “implemented measures to avoid similar incidents in the future and technological measures and retraining are also being implemented to minimize the chance of other such incidents.”
HIPAA Privacy’s “minimum necessary” rule requires an itemization of all routine disclosures of PHI, and a standard procedure for each of these disclosures. Best practice when sending media via the postal service or other carrier is to encrypt the data. Consequently, the hospital was obligated to identify an appropriate procedure for this routine disclosure in the first place. Had the HIPAA Privacy rule been rigorously implemented using encryption, this breach could have been avoided. The takeaway for hospitals and other covered entities to review the requirements of the HIPAA Privacy rule for minimum necessary, to make the investment to identify all routine disclosures, and to use best practices when developing the procedure for each of these disclosures.
