Only the patient, the patient’s personal representative and authorized parties may receive protected health information. Authorized parties include either those designated on a patient-signed authorization or covered entities using the information for treatment, payment or health care operations. Under the HIPAA Privacy Rule, covered entities cannot otherwise disclose PHI without authorization. Releasing the wrong patient’s information would mean the patient whom the medical record belongs to did not authorize the disclosure. A violation of this nature would likely be accidental but is nonetheless a breach of privacy that would be subject to civil or even criminal consequences.
How HIPAA Help Center can assist covered entities avoid this violation
There are a number of ways covered entities may release the wrong patient’s PHI and ePHI, so health care providers must have adequate safeguards in place. The Asset Inventory module provides one such security measure. This feature documents what digital media contains ePHI and which workforce members use each piece of technology. With this tool, covered entities can better track information, ensuring it is all in the hands of individuals educated through the Training module. The Asset Inventory module can additionally help practices evaluate whether technology needs upgrades, as faulty devices may incorrectly send out information, leading to a breach in privacy. If a covered entity discloses the wrong patient’s PHI, the recipient may call the health care providers to inform them. Under HIPAA, covered entities must record any feedback. The Feedback feature provides a place for users to store this information.
Frequently asked questions about releasing the wrong patient’s PHI:
How might a covered entity accidentally release PHI or ePHI to the wrong patient?
Under HIPAA, covered entities are allowed to use technological devices to communicate about health records. However, this can make violations harder to avoid. For example, a national health maintenance organization violated HIPAA by mailing an explanation of benefits to a patient’s unauthorized family member instead of the actual patient, the U.S. Department of Health and Human Services explained. The organization sent the documents to the wrong party due to a glitch in the computer system, highlighting the importance of evaluating the reliability of any technology that is used.
Who must covered entities inform if they disclose the wrong patient’s PHI?
Covered entities responsible for sending PHI to the wrong patient must inform the patient whose information they disclosed in an unauthorized manner. The health providers must also notify the HHS Secretary of breaches of unsecured health information. The Incident Response module guides users through this process.