January 9, 2014

Question: We recently sent patient information to the wrong recipient.  Rather than sending a package to our malpractice counsel, we sent it to another hospital across town.  The information in question included CDs with imaging studies and two pages of a radiology report that included the patient’s name and medical record number.  The hospital that received the information tells us that it recognized immediately that the information had been mis-addressed and called us right away.  There were over 100 imaging studies on the CDs.  Do we have to notify the patients of this incident?

Answer: Probably not.  To understand why, it may help to review the HIPAA breach reporting requirements.

In the past, if a patient’s “unsecured” Protected Health Information (“PHI”) (i.e., not encrypted) was improperly used or disclosed, the hospital was required to conduct a “harm analysis” to determine if there was a “significant risk of financial, reputational, or other harm to the patient.”

HHS believed this test made it too easy for hospitals and physicians to avoid notifying patients.  Thus, under the January 25, 2013 final regulation, an improper use or disclosure of PHI is “presumed” to require patient notification unless the covered entity demonstrates there is a “low probability” that the PHI has been “compromised” based on a risk assessment that considers various factors.  This is a lower threshold for patient notification.

In evaluating whether PHI was “compromised,” the new regulation requires hospitals to consider at least the following factors:

(1)        nature and extent of the PHI involved, including the types of identifiers and the likelihood of PHI being re-identified;

(2)        identity of unauthorized person who received the PHI;

(3)        whether the PHI was actually acquired or viewed; and

(4)        the extent to which the risk to the PHI has been mitigated.

Importantly, HHS is not using the dictionary definition in asking whether information has been “compromised.”  Merriam-Webster defines “compromise” to mean “reveal or expose to an unauthorized person.”  The test described by HHS in the new regulation does not simply ask if that information was “revealed or exposed to an unauthorized person.”  Instead, hospitals must consider what PHI was involved, who received that PHI, and the extent to which any risk has been mitigated.

Thus, in some ways, HHS’s new test is not very different from what hospitals have been doing up to this point.  That said, even if the new test is more similar to the old test than HHS would like to admit, HHS did make clear that it expects hospitals to notify patients of breaches more often.  HHS noted that some individuals had interpreted the prior regulation as “setting a much higher threshold for breach notification than we intended to set.”

In the case at hand, the information in question was sent to another covered entity (a hospital) that has an obligation to comply with HIPAA.  In the preamble to the January 25, 2013 final regulation, HHS identified this as a factor that weighs against notification.  (78 Fed. Reg. 5566, 5643 (Jan. 25, 2013)).  Also, the PHI does not appear to be particularly sensitive (though the nature of the imaging tests should be reviewed).  Finally, it does not appear that the PHI on the CDs was even viewed, based on the comments of the hospital that received the mis-addressed package.  Thus, notification of the patients is probably not required.