Dent Neurologic Clerk Violates HIPPA by Emailing PHI to Patients

The theft of mobile devices may be one of the leading causes of HIPAA breaches, although human error can easily lead to patient health data being disclosed, with Dent Neurologic the latest healthcare organization to suffer a major HIPAA breach as a result of the actions of an employee.

Dent Neurologic, a neurologic institute serving Buffalo and West New York, accidentally distributed a spreadsheet containing PHI to 200 patients in a routine email. The spreadsheet contained data relating to 10,200 patients and was attached by accident to an email by a clerk in the DNI administration office.

The data did not contain information relating to treatment and diagnoses, nor Social Security numbers or dates of birth. However, patient names, email and home addresses, last appointment dates and the name of the treating doctor were all detailed in the spreadsheet.

Dent Neurologic CEO, Joseph V. Fritz, issued a news release explaining the error, which has been attributed to a mistake made by the clerk. Fritz stated that “We are very sorry this happened, and we deeply apologize to all of our patients, referring physicians and WNY health care partners.” He went on to say that “Patient confidentiality is extremely important in our field, and we take it very seriously, and we will review how this accident happened so we can take steps to minimize the possibilities it could ever happen again. This is an inexcusable event.”

As required by the HIPAA Security Rule, all patients must be notified of the breach. Before that step was taken Dent made contact with all individuals who had been sent the email and asked patients to delete the email. Several patients of the institute have expressed serious concerns about the email and the security lapse.

While the hospital claimed it had notified all concerned, The Buffalo News made contact with a number of the persons affected by the breach and some claimed not to have been informed of the problem. Some patients believe the incident is a direct breach of HIPAA regulations and that the healthcare organizations did not take the necessary steps to ensure to keep patient data private.

A HIPAA breach is classed as impermissible use or disclosure of individually identifiable health information which compromises the privacy and security of PHI, which IN TURN poses a risk of harm, damage or loss to the individuals affected. At the present time, financial penalties are only issued for willful neglect which leads to the disclosure of PHI, although HIPAA violations could potentially also see fines issued.

As required by HIPAA, Dent will be contacting the persons affected by the breach to notify them that their PHI may have been viewed by unauthorized personal. According to the Buffalo News, at least two individuals who had been sent the E-mail had opened the attachment and viewed the data.

This is not the first time that Dent has been criticized for its patient communications. Recently a letter was sent to all patients in the Dent database by mistake, with the communication only intended for individuals being treated by Catholic Medical Partners physicians. That incident only caused confusion and did not breach HIPAA regulations; although the error suggests that policies and procedures need to be reassessed at the neurologic institute and the staff re-trained on data security and privacy issues.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.