Share this article on:
On February 13, 2015, an employee of the Denton County Health Department inadvertently violated the Health Insurance Portability and Accountability Act (HIPAA) when a USB drive was left at a printers shop. The drive contained a personal document that the employee wanted the shop staff to print.
The drive also contained the unencrypted Personal Health Information (PHI) of 874 patients who had received medical services through Health Department’s tuberculosis (TB) clinic. The data included the names of patients along with their TB test results; addresses; dates of birth and other PHI. No Social Security numbers were stored on the drive, nor any financial information.
Since Personal Identifiers and Health Information have potentially been exposed and the incident involved more than 500 patient records, Denton County Health Department is obliged to report the data breach to the Department of Health and Human Services’ Office for Civil Rights (OCR). The HIPAA Breach Notification Rule also requires Notification Letters to be sent to all affected individuals within 60 days of the discovery of the breach.
The USB drive was only left for an hour at the printers; however that would have been sufficient time for those files to be copied or printed.
Denton County Health Issues Breach Notification Letters
In accordance with HIPAA regulations and state laws, Denton County Health is notifying all affected individuals by first class mail that their PHI has potentially been exposed. Those individuals should receive the letters by next week: April 13-19, 2015.
It is not clear why Denton County Health waited over 55 days to issue the breach notification letters, as this could result in patients having to wait more than 60 days to find out about the breach. Under HIPAA Rules, organizations are required to issue notifications without unnecessary delay.
If all of the letters are not sent within the 60 day timescale, this would be a further violation of HIPAA rules. It is unclear why the Health Department would risk causing further violations of HIPAA. According to BJ Lewis from the Denton Record Chronicle, Sarah McKinney, a spokeswoman for the Denton County Health Department explained the delay: “A full internal investigation is being conducted and officials wanted to make sure they had all of the facts and were acting under the guidelines of the law to notify patients who may have been potentially affected, a process that is currently ongoing.”
Breach Investigation Continues
According to a report on Star Local Media, the Director of Public Health for Denton County, Dr. Matt Richardson, believed the risk of exposure of PHI to be very low as there was no reason to believe that any information was accessed or used in an inappropriate manner.
The incident was voluntarily reported by the employee as soon it was realized that there was PHI on the drive. This triggered an investigation to determine the facts of the HIPAA breach. Richardson said “There is no evidence that any confidential information was accessed.” He went on to say “Nevertheless, in light of this event, we have reviewed and updated our internal policies and procedures, performed additional, mandatory training for all employees and have changed the way electronic files are stored.”
What to Do if You Have Been Affected by a Breach of HIPAA Data
Unless the risk of misuse of PHI is deemed to be particularly low, the organization responsible for the breach should provide credit monitoring services – free of charge – to mitigate any damage caused. In this case, since the risk was deemed to be low and no financial information or Social Security numbers have been exposed, credit monitoring services do not appear to have been offered.
It is only by monitoring credit and benefits statements that it is possible to identify fraudulent activity. Victims of breaches should therefore monitor benefits statements closely and query any discrepancies. Annual credit reports should also be obtained from each of the major credit agencies. Each agency is obliged to provide one report per year without charge to anyone who requests it.