No Harm No Foul Case Study

Decent Essays

This comes across as an approach of “No harm, no foul”, which is not the way the Office for Civil Rights, the government agency that investigates HIPAA breaches, looks at things. There are numerous examples of the OCR imposing penalties on organizations for not protecting PHI, even though there was no evidence of anyone receiving or accessing any PHI in cases where a breach occurred. The OCR considers encryption of ePHI by malicious software (e.g., ransomware) to be an unauthorized disclosure not permitted under the Privacy Rule. Unless an organization can reasonably conclude there is a low probability that the PHI has been compromised, it is required to comply with the applicable breach notification provisions, even if there is no …show more content…

The person sending the email said he did not delete the PHI because he wanted the union rep to see the information the manager had sent out, implying he was sending it to get his boss in trouble. It was not an inadvertent disclosure to someone else in the organization who was authorized to view PHI. It was not based on a good faith belief that the person to whom the disclosure was made would not reasonably been able to retain the information. Certainly email is highly retainable – and easy to pass along. The person receiving the email agreed to delete it, and maintained she had not passed it along, which addressed the mitigation of risk, and ultimately supports a finding of a non-reportable breach, with no notification to the individuals whose PHI was disclosed. The fact remains however that a professional in the organization decided to send PHI in an email to a person outside the organization. It is highly doubtful the OCR would consider this disclosure a part of Treatment, Payment or Operations. Even in the event there was a need to share specific information as part of a grievance procedure, there is no reason to include identifiable patient information in such a case. We understand considering and imposing sanctions for unauthorized disclosures is a never-ending and thankless task, but consider the alternatives. What will you do the next time a similar action is taken by an employee? Especially

Get Access