Share this article on:
A spreadsheet containing the protected health information of more than 1,200 patients has been accidentally sent to two media outlets by a worker at Mecklenburg County, NC.
The spreadsheet was emailed to the media outlets in response to a freedom of information request. That request was made following the discovery that 185 female patients had not been notified of abnormal Pap smear results. The spreadsheet had been created for state officials who were conducting an audit.
County officials discovered the HIPAA breach on Monday and immediately launched an investigation to determine how such an error could have been made. County officials are furious about the privacy breach. Commissioner Vilma Leake said she wanted “to fire everybody on the health department.” County Manager Dena Diorio said “I am absolutely speechless with anger about how something like this could happen.”
This is the second HIPAA breach in a month to be discovered by Meklenburg County. WSOCTV said it had previously been sent information that contained the name of an individual that should not have been released. A request was received to return that information.
The latest mistake was allegedly made while a county worker was attempting to resolve the first privacy violation. County Commissioner Jim Puckett told WSOCTV Channel 9 “We had a relatively small problem that has escalated into a large one.”
The latest incident has prompted the County to implement new policies and procedures to prevent HIPAA breaches of this nature from occurring in the future.
Those policies will include prohibiting the inclusion of any protected health information in spreadsheets. ‘Gap measures’ have also been put in place to reduce the potential for a repeat HIPAA breach. Those measures include signing off any information coming out of the health department by two employees. A long-term solution is also being developed to ensure that public information requests are processed correctly without violating individuals’ privacy.
The Department of Health and Human Services’ Office for Civil Rights and affected patients will be notified of the privacy breach in the next 60 in accordance with HIPAA Rules.
Healthcare organizations should have policies in place to ensure responses to information requests are checked by multiple members of staff before they are released outside an organization.
All workers can make mistakes, but policies should be in place to prevent an error by a single employee resulting in a HIPAA violation and potentially, a significant HIPAA violation penalty. This incident shows how easy it is for a HIPAA breach to occur if adequate checks are not conducted.