The following excerpt is from the River Falls Journal website. The article is dated Feb 1, 2013.
River Falls Medical Clinic says it has notified about 2,400 clients of a breach of unsecured personal information. The breach occurred after clinic officials reported stolen equipment to the River Falls Police in the summer of 2012.
The short version of the story is this: a member of the cleaning crew stole paper patient documents from the medical office. These documents were being stored for shredding.
Essentially, the office had a box where they put documents that were to be shredded in the future. Then probably once a month one of those shredding trucks would stop by and shred everything for the office.
Seems innocent enough…right?
This is where risk management and common sense go different directions.
Common sense takes into account that people are reasonable. This is an example where one of the people involved was not reasonable…and the medical practice got stung.
This practice should have had a Business Associate’s Agreement on file with this cleaning company.
“But wait,” you say, “an associate’s agreement would not have changed the outcome.”
True – this thief would have probably still stolen what he did. Yet, the article mentions that the medical practice is supplying ID theft support to all of their patients for a year…the cost involved in this substantial. A properly written associate’s agreement would have laid this responsibility on the cleaning crew company.
“And another thing, isn’t this considered ‘incidental’ by the HHS?”
Well…somebody has been reading ,very good.
If you look at the HHS website you’ll see this item buried in there:
I’m not an attorney, but I am a risk management expert.
Whether incidental or not, if somebody comes across PHI in your office, while conducting work for you, there is a risk to your practice taking place.
Your goal should be to displace this risk from you to the other entity.
This is accomplished by an associate’s agreement.
Also remember this – any breach your practice has puts the spotlight on your practice. This means questions will be asked about your HIPAA policies, training etc.
“Well, if the HHS website says I don’t have to do it, then…”
Ok, if this is all a game to you, then continue with your game, but if you are a professional running a real business, then you should take seriously every effort to minimize the risk to your practice.