Probable HIPAA violation. How to proceed?

Published

At my group of clinics, we have a person trying to get new policies in place. In this effort, a compliance email was sent to all employees with a list of patients, their MRN, if an employee called the patient, and who they were seeing that day. Everyone in our group got the email. The company uses a corporate Gmail account so it isn't the most secure option. We piggyback off a larger Heath systems charting system which the patient information was mined from. Would you bring these concerns to the individual or bring it up to the larger systems HIPAA compliance team?

Up Vote Up Vote ×
Specializes in ACNP-BC, Adult Critical Care, Cardiology.

I would start by bringing the concern to the individual with a preface statement that the issue should also be brought up to the larger health system's privacy office because the information was mined from their EMR database. As an employee of a university health system, we have mandated annual privacy training and breach of confidentiality is made such a big deal that it would make me nervous for any hint of violation. Your group's relationship with this larger health system could be compromised.

Up Vote Up Vote ×
Specializes in Primary care.

If it’s a G suite email product Google will sign a business associate agreement so with that and appropriate encryption in place this could be a compliant system.

Up Vote Up Vote ×
13 minutes ago, Penguins10 said:

If it’s a G suite email product Google will sign a business associate agreement so with that and appropriate encryption in place this could be a compliant system.

Makes sense. I think it might meet that standard. But can you compile that kind of information and send it out company wide like that? Providers and MAs have need to know on patient information. But that info imo should only be shared with those who had direct contact with that encounter. Not other staff in other clinics.

Up Vote Up Vote ×
Specializes in Nephrology, Cardiology, ER, ICU.

Did they use identifying info when they did the mass email? We get metrics on all pts but they are only identified by sex/age.

Up Vote Up Vote ×
2 hours ago, traumaRUs said:

Did they use identifying info when they did the mass email? We get metrics on all pts but they are only identified by sex/age.

First name, last name, clinician being seen, and date of service.

Up Vote Up Vote ×
Specializes in Primary care.

Sorry, missed that part in my response. You're probably correct about sending identifiers to people not involved in care.

Up Vote Up Vote ×
Specializes in Nephrology, Cardiology, ER, ICU.
19 hours ago, djmatte said:

First name, last name, clinician being seen, and date of service.

Yikes! Yes even if it was encrypted - should not have gone out to everyone. We use Outlook email, then further password-protect it, then the password comes to us in a second email.

For our texting and phone calls we use PerfectServe

Up Vote Up Vote ×
+ Join the Discussion