TriHealth Workforce Retrained after Impermissible Disclosure of PHI to a Medical Student

by | May 30, 2019

The workforce of TriHealth Medical Practices, OH, has had to undergo retraining on the importance of protecting patient privacy after the Protected Health Information (PHI) of 2,433 patients was impermissibly disclosed to a medical student.

The impermissible disclosure of PHI to a medical student took place on June 8, 2018, and June 9, 2018, when a former TriHealth physician sent an email containing the PHI of 2,433 patients to a student mentee who was helping examine patient information for a possible research project.

The PHI disclosed to the student mentee included first and last names of patients, dates of birth, zip codes, ethnicity, life status, and cancer diagnosis information. However, the student mentee was not a member of TriHealth’s workforce, and – because of this – the disclosure of PHI was not permitted by the Privacy Rule.

OCR, the Media, and Affected Individuals Notified – Corrective Actions Taken

On 24 May 2019, TriHealth notified HHS’ Office for Civil Rights, the media, and affected individuals of the data breach. According to the media release, Social Security numbers, addresses, insurance and financial information were not shared in the impermissible disclosure of PHI to a medical student.

Nonetheless, TriHealth set up a hotline for affected individuals with questions or concerns about the breach. In addition, TriHealth sanctioned the former physician and provided additional HIPAA training to all members of the workforce on the importance of protecting patient privacy.

According to the breach report submitted to HHS’ Office for Civil Rights, TriHealth also implemented additional administrative safeguards to better protect its data. Having received assurances that TriHealth had implemented the required corrective measures, the agency took no further action and closed the case.

The Consequences of the Impermissible Disclosure of PHI to a Medical Student

Although HHS’ Office for Civil Rights decided not to fine TriHealth on this occasion, the impermissible disclosure of PHI to a medical student would have not been without its costs. In April 2019, the Health Sector Cybersecurity Coordination Center (HC3) estimated that the cost of responding to a data breach was as much as $408 per record.

While the costs of responding to the impermissible disclosure of PHI to a medical student would have been less on this occasion (because the organization did not have to pay for credit monitoring services for affected individuals), TriHealth still incurred significant costs for providing additional HIPAA training to all members of its workforce.

The lesson to be learned from this incident is the importance of reinforcing HIPAA compliance via refresher training so that members of the workforce are more alert to permissible – and impermissible – disclosures of PHI.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Please enable JavaScript in your browser to complete this form.

ComplianceJunction

    Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

    Comprehensive HIPAA Training

    Used in 1000+ Healthcare Organizations and 100+ Universities

      Full Course - Immediate Access

      Privacy Policy