Mobile devices being stolen may be one of the main causes of HIPAA breaches, although human mistakes can easily lead to patient health data being accessible, with Dent Neurologic the latest healthcare group to suffer a major HIPAA breach due to the actions of a member of staff.
Dent Neurologic, a neurologic institute operating in Buffalo and West New York, accidentally sent out a spreadsheet containing PHI to 200 patients in a routine email. The spreadsheet included data relating to 10,200 patients and was attached, in error, to an email by a clerk in the DNI administration office.
The data did not include information about treatment and diagnoses, nor Social Security numbers or dates of birth. However, patient names, email and home addresses, last appointment dates and the name of the treating doctor were all listed on the spreadsheet.
Dent Neurologic CEO, Joseph V. Fritz, released a news alert explaining the mistake, which has been attributed to an error made by the clerk. Fritz remarked that “We are very sorry this happened, and we deeply apologize to all of our patients, referring physicians and WNY health care partners.” He added “Patient confidentiality is extremely important in our field, and we take it very seriously, and we will review how this accident happened so we can take steps to minimize the possibilities it could ever happen again. This is an inexcusable event.”
The HIPAA Security Rule requires all patients must be notified of the violation. Before that step was taken Dent made contact with all people who had been sent the email and asked patients to delete it. Several patients of the institute have voiced serious worries about the email and the security lapse.
While the hospital argued it had notified all affected, The Buffalo News made contact with a number of the persons included in the breach and some said that they had been informed of the issue. Some patients believe this a direct breach of HIPAA regulations and that the healthcare centers did not take the necessary steps to ensure to keep patient data private.
A HIPAA breach is defined as impermissible use or disclosure of individually identifiable health information which compromises the privacy and security of PHI, which IN TURN poses a danger of harm, damage or loss to the people affected. At the present time, financial sanctions are only issued for willful neglect which leads to the disclosure of PHI, although HIPAA violations could potentially also see fines issued.
As sought by HIPAA, Dent will be contacting the persons affected by the breach to warn them that their PHI may have been viewed by unauthorized personal. According to the Buffalo News, at least two people who had been sent the E-mail had opened the attachment and viewed the information.
This is not the first occasion that Dent has been criticized for its patient communications. Recently a correspondence was sent to all patients in the Dent database in error, with the communication only intended for people being treated by Catholic Medical Partners physicians. That incident only caused confusion and did not breach HIPAA violations; although the error suggests that policies and procedures need to be reviewed at the neurologic institute and the employees re-trained on data security and privacy areas.