A hospital found itself in the headlines after a review of stillbirths was posted online.
The hospital foundation trust reviewed the information at a board of directors meeting. The information included details about stillbirths, prior miscarriages and terminated pregnancies, plus the mothers' age and BMI. The Board report included the following statement: “Restricted – Not to be copied or shared without the permission of the chair….” Despite this language, the report was publicly available online.
The online posting of information about stillbirths was clearly a mistake, and the hospital apologized. We don’t know exactly how this happened – but I have seen this type of inadvertent breach before, and I have a lot of empathy for organizations in this position. Sometimes, things simply fall through the cracks.
What you can do
PHI gets overlooked sometimes.
You likely have many defined processes that protect PHI. For example, you probably have procedures that must be followed before releasing medical records. During COVID-19, you may be increasingly relying on procedures specifying when you can and cannot discuss patients with the media.
But what happens when we use PHI in a new or non-routine way? We don’t always have a procedure for every situation. This is when we rely on our HIPAA training to help us identify potential HIPAA problems and respond appropriately. For this reason, HIPAA training needs to include all individuals who could encounter PHI, including executives, board members, and even some contractors, volunteers, and students.
We can’t anticipate every possible HIPAA breach with a policy and procedure. But we can train our staff to recognize HIPAA risks as they arise.