[ Tuesday, June 10, 2014 ]
Penn State-Hershey Hospital Breach: Should this have been reported? A lab tech accessed PHI of 1800 patients
Jeff [10:47 AM]
via his home computer using a flash drive, and sent some PHI to two doctors via his personal email. The flash drive wasn't encrypted, nor were the emails.
I'm pretty surprised this did not meet the "low threshold of compromise" standard for non-reporting. The staff member was authorized to access the PHI, just not outside the security of the hospital's computing environment. The flash drive wasn't encrypted, but wasn't lost or apparently outside the control of the tech. The data was definitely PHI, but did not include social security numbers, so it's a low ID theft risk. The emails were to physicians, presumably proper parties to receive the PHI (just not via unsecure email). If the data is scrubbed from the tech's personal email account, and the doctors have secure accounts (or also scrub the data), where's the risk of compromise? That someone snatched the PHI out of the ether while it was being emailed? Possible, but a very low risk.
The more I think about it, the more I think this should not have been reported. This is much more likely to (i) unnecessarily worry patients who receive notices, and (ii) increase the likelihood of "alarm fatigue" by providing a false positive. Fix the problem, fix your policies if you need to (prevent the use of flash drives or only allow encrypted ones), retrain the staff, sanction this employee, make this a teachable moment . . . but don't ring the alarm bell when it's not necessary.
Blogger: HIPAA Blog - Edit your Template