WHAT HAPPENS WHEN A PROVIDER ACCIDENTALLY REVEALS PERSONAL HEALTH INFORMATION?
Let’s say someone in your office accidentally sends a patient the information about a different patient? Or, your web portal allows patients to see other patients information? What to do?
Notifying Patient of Revealed Information
Both under Federal and State Law, the covered entity must notify all individuals whose unsecured protected health information has been accessed as a result of a security breach. Such notification may not be “unreasonably delayed” but must be within 60-days of the breach. It must be specific as to content disclosed. Also the Secretary of the Department of Health and Human Services must be notified. (See, generally: HSS Website.)
Review Your Policies
Security and Privacy procedures must be reviewed, and the review must be documented, and changes must be made to prevent reoccurrence.
California Law Has Additional Requirements
State law must be further consulted for further requirements. California’s general privacy laws and the Confidentiality of Medical Information Act apply.
There are civil and criminal penalties and there is a private cause of action
Talk to a Lawyer
When making a decision about revealed health information, speak to an attorney. The decisions about what to do should not be taken lightly as there can be major fines from both the federal and state government, as well as likely lawsuits by the patients involved.
Insurance
Make sure you have the right insurance. This is usually not included with your normal civil insurance or your malpractice insurance. Review your policies, talk to your broker. These policies can save you from the high costs of attorneys and helping your patients deal with the problems.