The workforce of TriHealth Medical Practices, OH, has had to undergo retraining on the importance of protecting patient privacy after the Protected Health Information (PHI) of 2,433 patients was impermissibly disclosed to a medical student.
The impermissible disclosure of PHI to a medical student took place on June 8, 2018, and June 9, 2018, when a former TriHealth physician sent an email containing the PHI of 2,433 patients to a student mentee who was helping examine patient information for a possible research project.
The PHI disclosed to the student mentee included first and last names of patients, dates of birth, zip codes, ethnicity, life status, and cancer diagnosis information. However, the student mentee was not a member of TriHealth’s workforce, and – because of this – the disclosure of PHI was not permitted by the Privacy Rule.
OCR, the Media, and Affected Individuals Notified – Corrective Actions Taken
On 24 May 2019, TriHealth notified HHS’ Office for Civil Rights, the media, and affected individuals of the data breach. According to the media release, Social Security numbers, addresses, insurance and financial information were not shared in the impermissible disclosure of PHI to a medical student.
Nonetheless, TriHealth set up a hotline for affected individuals with questions or concerns about the breach. In addition, TriHealth sanctioned the former physician and provided additional HIPAA training to all members of the workforce on the importance of protecting patient privacy.
According to the breach report submitted to HHS’ Office for Civil Rights, TriHealth also implemented additional administrative safeguards to better protect its data. Having received assurances that TriHealth had implemented the required corrective measures, the agency took no further action and closed the case.
The Consequences of the Impermissible Disclosure of PHI to a Medical Student
Although HHS’ Office for Civil Rights decided not to fine TriHealth on this occasion, the impermissible disclosure of PHI to a medical student would have not been without its costs. In April 2019, the Health Sector Cybersecurity Coordination Center (HC3) estimated that the cost of responding to a data breach was as much as $408 per record.
While the costs of responding to the impermissible disclosure of PHI to a medical student would have been less on this occasion (because the organization did not have to pay for credit monitoring services for affected individuals), TriHealth still incurred significant costs for providing additional HIPAA training to all members of its workforce.
The lesson to be learned from this incident is the importance of reinforcing HIPAA compliance via refresher training so that members of the workforce are more alert to permissible – and impermissible – disclosures of PHI.