Share this article on:
A New York doctor made a simple but highly serious error this week that resulted in approximately 15,000 Social Security numbers and other Protected Health Information (PHI) being emailed to patients. Instead of attaching a coupon to an email, a spreadsheet containing patient names, appointment dates, home addresses, and Social Security numbers was attached and sent, according to an NBC news report.
One patient said dates of birth were also included in the spreadsheet, although this was not confirmed by the doctor’s office. The patient also claimed the email said “coupon attached.”
The email was sent from the office of Dr. Mary Ruth Buchness. Staff at the office were quickly alerted to the error by patients, and action was taken to recall the message. According to a member of staff from the office, only “a handful” of individuals had opened the email before it was recalled. Recalling a message may not always be successful, and it may be some time before it is known how many people actually viewed the data contained in the spreadsheet. At the present moment in time it is not clear who made the error.
The Health Insurance Portability and Accountability Act (HIPAA) requires all covered entities to take steps to ensure the PHI of patients is secured at all times. The Security Rule demands that covered entities implement administrative, physical and technical safeguards to prevent the accidental or deliberate disclosure of PHI.
Under the administrative safeguards, covered entities are required to identify potential risks of ePHI disclosure and action must be taken to reduce those risks to an acceptable level. Access management controls must also be used to limit who has access to PHI. Training on HIPAA Privacy and Security rules must also be provided to all members of staff required to handle PHI.
While it is always possible for errors to be made when handling PHI, healthcare providers must ensure that the risk of PHI exposure is reduced to the minimal level. HIPAA may not demand that controls are put in place to prevent PHI from being emailed to unauthorized individuals, but the Department of Health and Human Services’ Office for Civil Rights (OCR) will be keen to discover exactly what administrative controls were implemented by the Soho Dermatologist’s office to reduce the risk of accidental disclosure of protected data.
The OCR investigates all data breaches involving exposure of the PHI more than 500 individuals. If the investigation reveals that the data breach occurred as a direct result of a failure to implement safeguards to keep PHI secure, a financial penalty may be appropriate.
The penalties for failing to adhere to HIPAA Rules can be severe. Fines of up to $1.5 million can be issued by the OCR, and state attorneys general can also take action against individuals and corporations found to have exposed or disclosed the PHI of state residents. Such a simple mistake could prove to be very costly indeed.