• E-mail
• Print
• RSS

Q&A: Potential PHI breach from found medical records

HIM Connection, January 10, 2012

Want to receive articles like this one in your inbox? Subscribe to HIM Connection!

Q We found medical records about one of our patients in our parking lot. Is this a breach? What should we do?

A: With all the focus on keeping electronic records secure, a lot of paper records still exist. In this instance, the patient or his or her legal representative may have dropped the paperwork by accident. Or, more ominously, a staff member could have dropped them.

You should certainly do whatever you can to investigate how the records got to the parking lot and look into who might have seen them. When you have completed your investigation, you will be able to determine whether the incident is likely to cause harm to the patient. If you conclude that no harm was done, you do not have to report the incident to the patient or to HHS. That said, it is always wise to be as transparent as possible, and this would include notifying the patient.

In addition, it would be appropriate to remind your staff members that they should not take PHI out of the building. If you determine that someone removed the information for a legitimate purpose, you may want to purchase lockable bags for those who must transport PHI.

Editor’s note: Chris Simons, RHIA, originally answered this question in the January issue of Medical Records Briefing. Simons is director of utilization management and HIM, and privacy officer at Spring Harbor Hospital in Westbrook, ME.

Want to receive articles like this one in your inbox? Subscribe to HIM Connection!

• E-mail to a Colleague
• Print
• RSS
• Archive