Are you among the lucky healthcare providers who have never experienced a "Breach" of Protected Health Information (PHI)? You have run such a tight ship that a "Breach" has never occurred and that makes you feel relaxed and confident? And you are absolutely sure about that?
Good for you. However, statistics show that you are probably kidding yourself.
Here are some very common types of breaches. In the course of daily patient care and the pace of normal workflow these occur with remarkable frequency.
- Given a patient a visit summary belonging to another patient
- Sent a fax or email to the wrong recipient
- Mailed part of or an entire medical record to the wrong patient
- Had computer monitors positioned in a way so PHI could be read by patients or visitors to your facility
- Had a stolen device used for accessing or storing PHI
- Disposed of PHI in the trash rather than shred box
- Sent a text message containing PHI without a reasonable safeguard in place
- Disclosed PHI to friends or family
- Been less than circumspect when discussing patient information in the presence of others
- Have a monitor not set to proper time out
Yes, it can and probably does happen to you, despite your best efforts. All the care, concern, training, and dedication in the world does not make people perfect. And a mistake can be costly.
So How is a "Breach" Good Medicine?
Think about the breach as an excellent learning opportunity. A mistake recognized and corrected is certainly a mistake less likely to be made again. As Charles Parkhurst famously stated, "It is not often that joy reaches so deep a place in men's hearts as sorrow does. Defeat touches men in a way that victory does not." If a person makes an error and the error is recognized and corrected the probability of a recurrence is greatly diminished resulting in uttering of the well- known phrase, "I'll never do that again!" Experience is the great educator.
And another thing. Do you think the OCR believes that a breach has never occurred in a practice? Probably not. Subsequently, how would you view a practice that has had the occasional breach, recognized it, reported it, and taken corrective action? Honest, at least, and certainly careful, responsible, and attentive. In a way, breach discovery, reporting, and mitigation can inoculate your practice against skepticism in the event of an audit.
Finally, just because a "Breach" can be good medicine, it's still painfully obvious that one should never occur on purpose. Or did we even need to mention that!
Be careful. Do everything you can to avoid a "Breach." If one does occur, give it the respect it deserves. It can be "Good Medicine."