Breach of minimum necessary policies for telephone messages.
Case: A hospital employee did not observe minimum necessary requirements when she left a telephone message with the daughter of a patient detailing the mother’s medical condition and treatment plan. An OCR investigation indicated that confidential communications requirements were not followed, as the employee left the message at the patient’s home telephone number, despite the patient’s instructions to contact her through her work number.
The hospital developed and implemented several new procedures:
- Addressed the issue of minimum necessary information in telephone message content.
- Employees were trained to review registration information for patient contact directives regarding leaving messages. These new procedures were incorporated into the standard staff privacy training.
Breach of private practice waiting rooms privacy policies.
Case: A staff member of a medical practice discussed HIV testing procedures with a patient in the waiting room, thereby disclosing PHI to several other individuals. Also, computer screens displaying patient information were easily visible to patients.
- OCR required the provider to develop and implement policies and procedures regarding appropriate administrative and physical safeguards related to communication of PHI.
- The practice retrained staff on newly developed policies and procedures.
- OCR required the practice to reposition its computer monitors to prevent patients from viewing information on the screens, and to install computer monitor privacy screens.
Breach of impermissible disclosure of PHI in response to subpoena.
Case: A public hospital responded to a subpoena without a court order and impermissibly disclosed the PHI of one of its patients. Contrary to the HIPAA Privacy Rule protections for information sought for administrative or judicial proceedings, the hospital failed to ensure that the individual whose PHI was being sought, received notice of the request and thus did not receive satisfactory assurance that the party seeking information made reasonable efforts to secure a qualified protective order.
OCR required that the hospital revise its subpoena processing procedures to read: if a subpoena is received that does not meet the requirements of the HIPAA Privacy Rule, the information is not disclosed; instead, the hospital must contact the party seeking the subpoena to explain requirements of the HIPAA Privacy Rule.
The hospital must retrain relevant staff members on the new procedures.