Share this article on:
The Salina Health Education Foundation, doing business as the Salina Family Healthcare Center, has caused a breach of 9,640 patient records after a member of staff submitted a database to the National Commission for Quality Assurance as part of a care coordination research study. The database was sent via email, and since the medium is insecure and the data was not encrypted, this potentially could lead to PHI falling into the hands of individuals unauthorized to view the information.
According to a statement released by the medical center in response to the breach, the incident occurred on April 8, 2014. The data that was exposed contained sensitive information which could potentially be used to commit fraud, although no Social Security numbers or financial information was present in the database.
Information included patient names and dates of birth, chart numbers and medical codes, which should have been removed prior to the data being sent. The lack of data de-identification was immediately spotted by NCQA staff, which alerted the medical center and immediately deleted the database. It is unlikely that the data was intercepted and the risk to patients is understood to be very low.
The incident has been reported to the Office for Civil Rights, as required by the HIPAA Breach Notification Rule, although it is not clear if breach notification letters have been sent to affected individuals, as required by the HIPAA Breach Notification Rule.
HIPAA demands that a covered entity takes action immediately following the discovery of the breach to mitigate any damage caused, in addition to taking action to prevent future breaches from occurring. The Salina Family Healthcare Center was able to confirm that the database had been deleted, so no further risk remains, and it has embarked on a program of training to ensure that all members of staff are fully aware of the requirements of HIPAA. The member of staff responsible for the breach has also been disciplined.
It may not be possible to eliminate human error, but covered entities can reduce the risk of accidental disclosure of Protected Health Information by ensuring that all members of staff are made aware of the rules and regulations covering the use, access and disclosure of Protected Health Information. All covered entities must provide full training to staff and should also conduct refresher training sessions periodically.
Since the OCR may choose to investigate organizations following data breaches – and via its audit program – it is essential that all training is documented. Members of staff receiving training must sign a document to say that the training has been provided, and these records must be stored securely and made available to auditors and investigators.
Regardless of the amount of training provided to the staff, if a covered entity cannot prove that training has been provided and received, it will constitute a violation of HIPAA and the CE could potentially receive a financial penalty for non-compliance.