Corporate Compliance

Disclosing breaches

Compliance Monitor, March 23, 2007

Q: When should we voluntarily tell patients about privacy breaches?

A: Many organizations have struggled with this issue, trying to balance protecting the patient from harm against protecting their own reputations within their communities. It's always a good idea to discuss specific situations with legal counsel before deciding whether to report breaches to patients and how much information to disclose.

Generally, you should disclose a breach to the patient if you think there is a reasonable likelihood that the patient will be harmed by the breach. For example, if a collection of patient records is found in a public dumpster and the news media reports the story, it's probably a good idea to notify the patients whose records were found and let them know what happened and how you're handling the incident.

But if there's a very low risk of harm to the patient, you may choose to address the problem without notifying the patient. For example, if a copy of a lab report is faxed to the wrong physician's office, you'll want to investigate how the error occurred, but it's not likely that the patient would be harmed by this mistake.

Thanks to Mary Brandt, resident of Bellaire, TX-based Brandt & Associates, LLC, for answering this question.

Most Popular