HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Denton County Health Dept Reports HIPAA Data Breach

On February 13, 2015, an employee of the Denton County Health Department inadvertently violated the Health Insurance Portability and Accountability Act (HIPAA) when a USB drive was left at a printers shop. The drive contained a personal document that the employee wanted the shop staff to print.

The drive also contained the unencrypted Personal Health Information (PHI) of 874 patients who had received medical services through Health Department’s tuberculosis (TB) clinic. The data included the names of patients along with their TB test results; addresses; dates of birth and other PHI. No Social Security numbers were stored on the drive, nor any financial information.

Since Personal Identifiers and Health Information have potentially been exposed and the incident involved more than 500 patient records, Denton County Health Department is obliged to report the data breach to the Department of Health and Human Services’ Office for Civil Rights (OCR). The HIPAA Breach Notification Rule also requires Notification Letters to be sent to all affected individuals within 60 days of the discovery of the breach.

The USB drive was only left for an hour at the printers; however that would have been sufficient time for those files to be copied or printed.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Denton County Health Issues Breach Notification Letters

In accordance with HIPAA regulations and state laws, Denton County Health is notifying all affected individuals by first class mail that their PHI has potentially been exposed. Those individuals should receive the letters by next week: April 13-19, 2015.

It is not clear why Denton County Health waited over 55 days to issue the breach notification letters, as this could result in patients having to wait more than 60 days to find out about the breach. Under HIPAA Rules, organizations are required to issue notifications without unnecessary delay.

If all of the letters are not sent within the 60 day timescale, this would be a further violation of HIPAA rules. It is unclear why the Health Department would risk causing further violations of HIPAA. According to BJ Lewis from the Denton Record Chronicle, Sarah McKinney, a spokeswoman for the Denton County Health Department explained the delay: “A full internal investigation is being conducted and officials wanted to make sure they had all of the facts and were acting under the guidelines of the law to notify patients who may have been potentially affected, a process that is currently ongoing.”

Breach Investigation Continues

According to a report on Star Local Media, the Director of Public Health for Denton County, Dr. Matt Richardson, believed the risk of exposure of PHI to be very low as there was no reason to believe that any information was accessed or used in an inappropriate manner.

The incident was voluntarily reported by the employee as soon it was realized that there was PHI on the drive. This triggered an investigation to determine the facts of the HIPAA breach. Richardson said “There is no evidence that any confidential information was accessed.” He went on to say “Nevertheless, in light of this event, we have reviewed and updated our internal policies and procedures, performed additional, mandatory training for all employees and have changed the way electronic files are stored.”

What to Do if You Have Been Affected by a Breach of HIPAA Data

Unless the risk of misuse of PHI is deemed to be particularly low, the organization responsible for the breach should provide credit monitoring services – free of charge – to mitigate any damage caused. In this case, since the risk was deemed to be low and no financial information or Social Security numbers have been exposed, credit monitoring services do not appear to have been offered.

It is only by monitoring credit and benefits statements that it is possible to identify fraudulent activity. Victims of breaches should therefore monitor benefits statements closely and query any discrepancies. Annual credit reports should also be obtained from each of the major credit agencies. Each agency is obliged to provide one report per year without charge to anyone who requests it.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.