Requirements for Notification
This question was recently submitted by a client, but this situation could be encountered by any practice:
Q. What constitutes a privacy breach that requires notification to patients? Recently, a thief broke into an employeeâ€™s car and took her address/memo book. The book contained patientsâ€™ last names only and a medical ID number, or maybe first and last names with medical ID numbers, and an occasional note regarding the care or a question the patient asked. How should we handle this?
A. The American Recovery and Reinvestment Act of 2009 (ARRA) defines a breach as an unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of the information. This incident meets the definition of a breach under ARRA.
Although this incident does constitute a privacy breach, you must evaluate the information contained in the address book to determine whether a significant risk of harm exists. For entries that include only the patientâ€™s name and medical record number, the risk is probably not significant. If the notes regarding care or questions asked reveal the patientâ€™s diagnosis, the risk may be significant.