[ Tuesday, April 10, 2012 ]
Duke HIPAA Breach? According to this
, Duke University Health System has notified a group of individuals about an "incident" involving disclosure of medical information. For certain bankruptcy matters, where the patient owed money to Duke, Duke must file a proof of claim to show that their debt is legitimate. Duke attached some information to these proofs of claim, including patient name and address, internal medical record numbers and other identifiers, insurance carriers, and a brief description of services rendered.
Interestingly, the Duke statement is very careful not to call the "incident" a breach or even indicate that it could be a HIPAA violation. Why?
The data is definitely PHI. However, PHI can be disclosed for treatment, payment, and healthcare operations. Why did Duke disclose this data in bankruptcy court records? To get paid. That makes it a disclosure for payment purposes, so no HIPAA breach, right? Maybe: while the purpose of the disclosure may be OK, Duke must still limit the information disclosed to the "minimum necessary" to serve the purpose of the disclosure. Did the information contain more than the minimum necessary? Maybe, particularly with regard to the internal identifiers and that sort of information. Maybe the description of services, which is clearly the most sensitive data, would be necessary to indicate what the debt relates to, but the rest seems to be unnecessary for a proof of claim.
BUT, even if it is a breach of the minimum necessary, no SSNs were disclosed, and depending on the specific data, you could probably determine that there's not a "substantial risk of harm" to most of the debtors whose data was disclosed. So, if Duke did a breach risk analysis and determined a lack of substantial risk of harm, they wouldn't have to give any notice. However, that's rolling the dice, for sure. So, I'm guessing they decided to provide the notice, but not admit that the "incident" is actually a "breach."
Jeff [5:17 PM]
Blogger: HIPAA Blog - Edit your Template