Corporate Compliance

Compliance Q&A: Potential breach from medical records

Compliance Monitor, January 11, 2012

Q. We found medical records about one of our patients in our parking lot. Is this a breach? What should we do?

A. With all the focus on keeping electronic records secure, there are still a lot of paper records out there. In this instance, the patient or his or her legal representative may have dropped the paperwork by accident. Or, more ominously, a staff member could have dropped them.

You should certainly do whatever you can to investigate how the records got to the parking lot and look into who might have seen them. When you have completed your investigation, you will be able to determine whether the incident is likely to cause harm to the patient. If you conclude that no harm was done, you do not have to report the incident to the patient or to HHS. That said, it is always wise to be as transparent as possible, and this would include notifying the patient.

In addition, it would be appropriate to remind your staff members that they should not take PHI out of the building. If you determine that someone removed the information for a legitimate purpose, you may want to purchase lockable bags for those who must transport PHI.

Editor’s note: Chris Simons, RHIA, originally answered this question in the January 2012 issue of the HCPro, Inc. newsletter, Medical Records Briefing. Simons is the director of utilization management and HIM, and privacy officer at Spring Harbor Hospital in Westbrook, ME.