Jane and Martha are friends having lunch when Martha in general
conversation says to Jane, "I hope your mom's lab test come back
ok" Martha is the contracted bookkeeper at Jane's mom Dr
office. The assumption is Martha meant no harm in the statement during the
conversation yet this is a breach of Jane's mom privacy. In addition
Martha doesn't know the type of blood work and didn't see the record but rather
the billing transactions. After finishing lunch Jane calls her mom being curious about the blood work she had done. Now Jane's mother feels
uncomfortable because she didn't share with her daughter since she didn't want
to worry her. This situation could spiral out of control with Jane's mom
calling the Dr office upset about her daughter being aware of her medical
treatment. How should this situation be handled?
HIPAA privacy rule was violated. Martha is considered a
Business Associate to the Covered Entity, the Dr. Office. According to HIPAA
changes in 2013 Martha and the doctor should have signed Business
Associate Agreement terms ensuring both parties understand HIPAA privacy
obligation and liabilities. In this situation with Jane's mother a factor
of harm has to be weighted and the appropriate action taken which must include mitigating
potential of future cases. In situations when more than one individuals
information is breached the cost to administer a breach process which includes
reporting to HHS and state agencies along with penalties can grow for
both the Covered Entity and Business Associate.
Key to keeping the cost down is ensuring the signed terms of
agreement are clear between parties, periodic evaluations of business practices
and open communication relative to gray area/situations.
