Denver Medical Center Reports HIPAA Privacy Violation

The Medical Center of Aurora, Colo, has suffered a potential HIPAA violation that exposed the data of 20 of its patients, according to a recent Fox31 Denver news report.

The incident involved paper records which were provided to a patient by mistake. Karen Billings was leaving the hospital after having received treatment, and in her discharge file was the paperwork of 20 other patients. She told reporters “I was shocked. I was mad. I was hurt that I had somebody else’s information,”

The accidental disclosure of Protected Health Information (PHI) occurred on Nov 22, 2015; and since Billings was in the hospital at the time, the matter was swiftly dealt with. Or so it would seem.

A nurse took the file from Billings and removed the sheets corresponding to other patients and handed back the file to Billings, who returned home. When she got back and checked her paperwork she found that she still had seven pages of medical information relating to 20 other patients.

The data included in the paperwork included the name of the patient, their data of birth, the name of the procedure that was performed and the doctor who performed it. Prescribed medications were also listed.

The story was picked up by FOX31 reporters a month after the breach occurred. They contacted three of the people included on the list who were concerned and upset to find out about the breach, including finding out from the media rather than the hospital.

In response to the report, the Medical Center of Aurora issued a statement confirming that the data breach was under investigation and the matter was being treated very seriously. “Our Facility Privacy Official immediately began an internal investigation and we are notifying the affected patients. We are committed to protecting the privacy of our patients and are reviewing internal procedures to determine additional safeguards we should implement.” The hospital will also be offering credit monitoring services to those affected.

In a busy hospital environment, mistakes can all too easily be made which can lead to the accidental disclosure of PHI to a small number of individuals. In many cases no harm is suffered by the individuals affected – this may not always the case – and many patients would understand that doctors and other medical professionals may occasionally make an administrative mistake.

The report suggests it is the breach response of the hospital that is viewed as more important in HIPAA violation cases such as this. Diedra Newman, one of the patients whose details were accidentally disclosed, told FOX31 Denver reporters, “They didn’t say anything, that`s more of my issue.  They didn’t call and say hey, we’ve had a breach in our paperwork, our filing system.”

Patients are likely to be more understanding when swift action is taken to notify them of an unauthorized disclosure of their PHI, and organizations should endeavor to issue breach notifications well within the 60 days reporting period required under HIPAA rules.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.