Compliance Perspective – Breach:
The Compliance/Privacy Officer should review the facility’s policies and procedures regarding potential breaches of private health information with the Administrator, the IT Manager and the Compliance Committee to ensure that the appropriate protocol is in place for responding and correcting a breach in a timely manner. The discovery date of the breach is determined based on the first day that the breach becomes known and the procedure to be followed is based upon the size and extent of the breach. Breaches of less than 500 individuals require that the affected individuals be notified in writing within sixty (60) days. Breaches also require notification to the U. S. Department of Health and Human Services (HHS), the Office of Civil Rights (OCR), and depending upon the size of the breach, possible notification to the media. Administrative and IT staff be trained regarding the Health Insurance Portability and Accountability Act (HIPAA) and these three components: Privacy Rule, Security Rule and Breach Notification Rule. The Compliance/Privacy Officer will request that the IT staff develop and implement an audit to determine the exact date of the breach, the information that has been exposed, the individuals affected and the plan to prevent future breaches.
On August 13, a breach involving the protected health information (PHI) for about 38,000 patients in an Oregon healthcare system was made public by the system’s officials. The breach is believed to have occurred sometime in May, but was not discovered until June 21. System officials believe the healthcare systems’ patient information may have been accessed through an email breach. The exposed information included personal, medical and billing information of those patients involved in the breach.
The healthcare system’s spokesperson reported that they have established a hotline for patients to call with their questions. Reportedly, they are working to inform affected patients about the breach that potentially exposed patients’ names, dates of birth, health insurance information, billing information, medical information regarding the care they received, social security numbers and driver’s license information.
The healthcare system operates six hospitals and 70 clinics in Oregon and Washington, but not all of their patients are affected by the breach. There has been no indication that the information accessed has been misused.
An outside firm has been hired to investigate the breach and to notify in writing those whose information may have been disclosed. The healthcare system has indicated that it is implementing new policies and procedures to prevent such breaches in the future; however, what those changes will involve was not disclosed.
Notably, in 2016 an Oregon university settled with federal authorities to pay federal $2.7 million and enacted a corrective action plan for a pair of 2013 data breaches that exposed information about than 7,000 patients.
