Handling a high-risk HIPAA Breach Published April 2017 Part of scenarios for patient privacy crisis management Every hospital encounters patients, who for the reason of their social circumstances, dependent status, personal characteristics, or the nature of their condition, are more vulnerable than the general population. While compliance with HIPAA is indeed important, because of the potential to inflict significant liability on the hospital resulting from compliance failure, it should not be the only consideration when caring for vulnerable patients. Mere compliance with the minimum requirements of HIPAA does not guarantee the safety of vulnerable patients. In the case study scenario, the hospital emergency department in a small town admitted a 15-year-old female with emergency labor. After delivery in the emergency room, the mother and the baby were moved to Obstetrics and Neonate. Despite appropriate care, the infant presented with multiple medical problems, which may or may not be resolved in the future. A nurse, who took care of the young mother, accidentally disclosed the patient’s identity and condition to her young daughter, who spread the news in all high schools in the area by the following day. The 15-year-old managed to hide her pregnancy from her family. To complicate matters, the young mother’s mother and aunt work in the same hospital.
The Orbit & its contents by Dr. Rabia I. Gandapore.pptx
Handling a high-risk HIPAA Breach
1. Handling a high-risk HIPAA Breach
Published April 2017
Part of scenarios for patient privacy crisis management
Every hospital encounters patients, who for the reason of their social circumstances, dependent
status, personal characteristics, or the nature of their condition, are more vulnerable than the
general population. While compliance with HIPAA is indeed important, because of the potential
to inflict significant liability on the hospital resulting from compliance failure, it should not be
the only consideration when caring for vulnerable patients. Mere compliance with the minimum
requirements of HIPAA does not guarantee the safety of vulnerable patients. In the case study
scenario, the hospital emergency department in a small town admitted a 15-year-old female with
emergency labor. After delivery in the emergency room, the mother and the baby were moved to
Obstetrics and Neonate. Despite appropriate care, the infant presented with multiple medical
problems, which may or may not be resolved in the future. A nurse, who took care of the young
mother, verbally disclosed the patient’s identity and condition to her young daughter, who spread
the news in all high schools in the area by the following day. The 15-year-old managed to hide
her pregnancy from her family. To complicate matters, the young mother’s mother and aunt
work in the same hospital.
HIPAA assessment
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the
Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations
protecting the privacy and security of certain health information. The HIPAA Privacy Rule sets
national standards for the protection of personal health information against unauthorized
disclosure. The Privacy Rule can be found at 45 CFR Part 160, and 45 CFR Part 164, Subparts A
and E. The standards, requirements, and implementation specifications apply to health plans,
healthcare clearinghouses, and healthcare providers and their business associates. The Security
Rule sets standards for protecting electronic health information. Enforcement of the regulation is
the responsibility of the Office for Civil Rights (OCR) that is part of HHS. In this case study, the
nurse disclosed personal health information, including the full identifier and the patient’s
medical condition to an unauthorized individual. A nurse, as an employee of a covered entity,
would indeed be subject to obligations under HIPAA. The Site Privacy Officer’s concerns should
be the facilitation of an investigation and risk of harm assessment. If a Breach is substantiated
and notification is required, the Site Privacy Officer shall notify each individual whose PHI has
been accessed, acquired, used, or disclosed as a result of the Breach. In cooperation with other
hospital functions, the Site Privacy Officer shall determine what additional external notifications
should be made. In this case, it may be necessary to notify local law enforcement if there is a
reason to believe the minor’s pregnancy was the result of abuse, neglect, or domestic violence.
A breach or not?
Breach means the acquisition, access, use, or disclosure of protected health information in a
manner not permitted under subpart E, which compromises the security or privacy of PHI.
Breach excludes unintentional acquisition, access, or use of PHI by a person acting under the
authority of a covered entity, or inadvertent disclosure between employees of the same covered
entity, as long as this information does not spread any further. Breach also excludes disclosures
made to unauthorized persons who would not be reasonably able to retain such information. Any
2. other acquisition, access, use, or disclosure of PHI not permitted under subpart E is considered a
breach [45 CFR 164.402]. Based on this definition, the incident indeed constitutes a breach of
personal health information that does not fall under any of the exclusions. In the event of an
impermissible use or disclosure of unsecured PHI, the covered entity is obligated to conduct a
risk assessment. Breach notification is necessary for all situations where PIH has been
compromised. Breach notification is not required if the covered entity demonstrates that there is
a low probability that PHI has been compromised. In this particular case, there is no doubt PHI
has been compromised since the information reached all four high schools in the area by the
following day.
Breach notification
The HIPAA Breach notification rule [45 CFR 164.400-414] requires covered entities to report
breaches of health information that have not been rendered unusable, unreadable, or
indecipherable. Notification of the Breach has to be provided to the affected individuals, the
Secretary, and in certain circumstances, to the media. In this instance, the hospital would have to
report the Breach to the patient and to the Secretary within 60 days following the discovery of
the Breach. The notification must include a description of the Breach and the information
involved, and steps the individuals should take to protect themselves from potential harm.
Besides, the hospital should include a brief description of what it is doing to investigate the
breach, mitigate the harm, and prevent further breaches, as well as contact information such as a
toll-free number. To notify the Secretary, the hospital shall submit the information via an
electronic form that is available on the OCR website.
Risk of Harm Assessment
In January 2013, the Risk of Harm standard was dropped from the final HIPAA Omnibus Rule.
The initial rule stated that a breach does not occur unless the access, use or disclosure poses "a
significant risk of financial, reputational, or other harm to an individual." It was up to the
covered entities to decide whether the harm standard applies or not. The new rule assumes that
all impermissible PHI disclosures are reportable (HHS, 2013). However, risk assessment
conducted by the hospital shall not be limited to HIPAA compliance obligations. Risk is the
probability that a vulnerability will be threatened, resulting in an adverse consequence. The
hospital has to consider the potential harm to the affected patient as well as liabilities for the
hospital and potential disruption of its own business operations.
The patient
The case study represents a myriad of ethical and legal problems, in addition to HIPAA
compliance. These concerns include the fact that the patient is an unemancipated minor, that her
parents were unaware of her condition until birth, and that the pregnancy may have been the
result of rape or incest. The consequences of such disclosure in a small town are easy to imagine.
Whilst the general acceptance of unwed and underage mothers and offspring conceived out of
traditional boundaries of formal marriage depends on location, time, and culture, some patterns
are universal in nature and only vary in extent. A teenage mother and a child of uncertain
parentage, especially if ill or disabled, are likely to face severe repercussions and lifelong
shunning even in the most benign environments. Young mothers may be forced to give up their
newborn babies and become themselves subject to retaliation from angry relatives, including the
risk of violent death. According to RAINN, the overwhelming majority of victims of sexual
3. abuse know the perpetrator. Even more disturbingly, in 80% of perpetrators were a parent
(RAINN, 2013).
Josephson (2016), in her book “Rethinking sexual citizenship” (Josephson, 2016) discusses in
detail the causes and consequences of early motherhood, including various societal ills connected
to the phenomenon of teenage motherhood, both real and perceived. Teenage sexual activity is
considered a deviancy and a threat to public order, and as such, it is subject to widespread public
shaming (pp. 82-84).
The experiences of teenage mothers can be extremely distressing due to public shaming,
shunning, rejection by the community and the family, and absence of elementary support. Even
worse, children are often deprived of many opportunities later in their lives because of biases and
prejudices; they have to grow up with (Odyssey, 2016).
According to “Report on Exploratory Study into Honor Violence Measurement Methods”, honor
violence seems to be rare in the United States and apparently limited to ethnic minorities mainly
from South East Asia. These cultures do not view honor violence as a crime, and the victims or
potential victims are unlikely to report victimization because of fear of repercussions from their
own family. These cultures defend honor violence as a means to maintain or regain the
reputation and social standing of a family by female members who violate the community’s
traditions and norms, should it be sexually inappropriate behavior or disobedience (Helba,
Bernstein, Leonard and Bauer, 2014). Other cultures find it appropriate to murder the infant
whilst preserving the life of the female. Hungary, a country in Eastern Europe, is an example of a
culture where infanticide is generally acceptable, although not legal, mechanism of restoring
family honor (Journeyman’s Pictures, 2016). The risks to the mother and the infant following
such disclosure are grave, and depending on circumstances, and cultural and ethnic background
can include retaliation, infanticide, and honor violence.
The Infant
Genetic testing of the infant may be warranted to confirm paternity and exclude or confirm the
pregnancy was the result of an incestuous relationship. Whether such a test would or would not
be permissible and what authorization is required to conduct such tests is a delicate question that
requires careful professional judgment, both medical and legal. Genetic screening without
parental consent is subject to much controversy, and New Act Newborn Screening Saves Lives
Reauthorization Act of 2014 includes the requirement of parental consent for the screening of
newborn babies with deadly yet treatable conditions (National Institutes of Health, 2015). The
quality and speed of newborn screening programs vary from state to state (Gabler, 2013).
Whelan (2013) argues that the main concern of privacy advocates and patient advocacy groups
was not the initial screening itself but indefinite retention of genetic material for undisclosed
uses, potentially resulting in tangible harms in the future such as employment discrimination and
insurance coverage (Whelan, 2013).
The American Society of Human Genetics (ASHG, 2015) published a position statement in
which it clarified its stance on genome-scale, carrier, and newborn results, and covered a variety
of conditions and circumstances including incest. While parental consent is required under most
circumstances, clinician’s judgment can override the lack of parental consent "when there is
4. strong evidence that a secondary finding has urgent and serious implications for a child's health
or welfare, and effective action can be taken to mitigate that threat". In this instance, the
healthcare provider should be able to perform genetic testing even without parents’ consent.
Mitigation of adverse consequences
Steps relating to the protection of the young mother and the infant shall be taken with full
consideration of the benefits and risks of available options and possible solutions.
Personal representative
With respect to use or disclosure, 45 CFR Part 160 does not preempt State Law in regards to
disclosure of protected health information about a minor to a parent [45 CFR 160.202(2)].
However, in this particular instance, the disclosure of the minor’s condition may not be in the
best interest of the young mother and her newborn child. First, the minor’s parents or legal
representatives were supposedly unaware of their daughter’s pregnancy. This fact itself should
trigger hospital procedures for care for vulnerable minors, including potential victims of rape,
incest, sexual abuse, parental neglect, domestic violence or human trafficking. A minor does not
become an adult by virtue of becoming pregnant and giving birth. Regardless of the potential
Breach, determining who is the patient’s legal representative, and making sure, that she does
have an appropriate one, would be the most important first step.
A covered entity may elect not to treat a person as the personal representative of an individual if
the reason to believe that the individual may be subjected to domestic violence, abuse or neglect
by such person, or treating such person as the personal representative could endanger the
individual [45 CFR 164.502 (g)(5)(i)(A)-(B)]. The hospital has the option to exercise its
professional judgment and decide not to treat the person as the individual’s personal
representative [45 CFR 164.502 (g)(ii)].
The rules for the emancipation of a minor vary from state to state. Whilst in most cases court
decision is required, in cases where the evidence shows that censurable parental conduct had
occurred implied emancipation may apply (Legal Information Institute, n.d.).
Protection of disclosure within the hospital
Permitted uses and disclosures include the use of the individual’s name, location, and condition
described in general terms to maintain the hospital’s directory and to be able to locate the
individual in the facility. The patient should have the opportunity to agree or object to such
disclosure [45 CFR 164.510(a)(1)(i)(A)-(C)]. In emergency circumstances, the health care
provider shall act in the individual’s best interest as determined by the covered health care
provider, in the exercise of professional judgment [45 CFR 164.510 (3)(B)].
Law enforcement disclosures
The Fourth Amendment to the U.S. Constitution states: “The right of the people to be secure in
their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not
be violated, and no warrants shall issue, but upon probable cause, supported by oath or
affirmation, and particularly describing the place to be searched, and the persons or things to be
seized” (U.S. Constitution, Amendment IV). Medical records contain very sensitive information
about individual patients. Law enforcement searches are authorized as reasonable under very
5. specific circumstances and only to a specific extent. Whilst the pregnancy could have been the
result of a relationship between two sexually experimenting minors, the possibility that an adult
was involved deserves an appropriate investigation. Successfully hiding a pregnancy from an
immediate family is not an easy thing to achieve. Near-complete ignorance and willful blindness
are required not to notice that a teen living in the same household is pregnant and about to give
birth. Awareness of the pregnancy, in combination with the failure to provide appropriate
support, could indicate the intent not to allow the infant to live. In some cultures, infants born
from unapproved relationships are at risk of infanticide.
The Site Privacy Officer shall make appropriate disclosures to staff in functions designated to
coordinate high-risk cases of this nature with other appropriate departments and services, in
addition to the investigation of the Breach. To this end, additional external disclosures may be
necessary. A covered entity may use or disclose protected health information without the written
consent or authorization of the individual if there is a reason to believe that the individual is a
victim of abuse, neglect, or domestic violence. Such disclosure shall be limited in nature to
comply with relevant laws if the individual agrees, or to the extent expressly authorized by
statute or regulation [45 CFR 164.512 (c) (i) – (iii)]. Any attempts to mitigate the damage caused
by the Breach shall be appropriately documented for the Office of Civil Rights (OCR).
Obligations after impermissible disclosures
Once an impermissible disclosure has been made, covered entities should take steps to mitigate
the potential damage. Covered entities have a duty to identify and document security incidents
and privacy violations, including an impermissible disclosure. Appropriate safeguards include
administrative, technical, and physical safeguards that protect PHI from any intentional or
unintentional use or disclosure [45 CFR 164.530]. In response to the incident, the hospital should
examine the events that led to the disclosure. This primarily includes the review of the history of
impermissible uses and breach logs, training materials, and training records. Gap analysis and
holistic vulnerability assessment to prevent future breaches would be beneficial to prevent future
breaches. Examination and review of the hiring process and critical assessment of organizational
culture would facilitate the change in the ways people think about patient privacy and the
implications of privacy breaches.
Personal accountability
The hospital shall have in place written policies and procedures regarding breach notification and
must train their workforce appropriately. The organization also has to apply appropriate
sanctions against staff members who fail to comply with HIPAA law as relevant to them. A
breach of this kind would warrant the review of the appropriateness of policies and procedures,
the record of previous breaches, and certainly a revision of training including a reminder of the
implications of such disclosures for the patients and for the hospital.
When hiring new people, the focus on technical skills shall not overshadow the importance of
character, trustworthiness, and ethical conduct. Although most organizations perform
background checks prior to hiring them, these do not typically reveal elements such as trust.
Workforce retention is a major problem in healthcare. Recent estimates placed the cost of staff
turnover at $40,000 to $80,000 per nurse, including the investment required to find a permanent
replacement, ensure staffing of shifts and provide onboarding training (Cohen, 2013).
6. A departing nurse can cause significant damage to the hospital, especially if hurt feelings are
involved or the dismissal is perceived as unjust. Experience from the University of Rochester
Medical Center (Shaw, 2016), shows how much damage a nurse can inflict on the hospital before
leaving if she decides to take advantage of access to patient records that would give her the
necessary leverage to either move to a new position or start a practice on her own (Shaw, 2016).
Whether the nurse who caused the Breach should be dismissed is a decision, the Human
Resources department would have to make. Considering the potential damage caused both to the
patient and to the hospital, and the need for extensive resources dedicated to mitigation of the
disclosure, immediate dismissal seems appropriate. The incident does violate not only HIPAA
but also represents a breach of the professional code of conduct and hospital policies. Most
importantly, it shows a lack of sound judgment, which may be critical in many other situations.
Any action taken by the hospital should be proportionate and fair to avoid scapegoating of a
single individual for conduct that may, in fact, be a widespread cultural problem observable
across the enterprise, especially when it is clear this was the result of a mishap rather than
malicious intent. A careful review of past incidents, policies, and procedures and quality of
training and training records should provide better guidance about what is appropriate. At the
very least, the nurse should be placed on administrative leave until the investigation is closed.
HIPAA v. the hospital
The risks to the hospital include a liability relating to HIPAA compliance failure and tort claims,
including negligence. HIPAA breaches and the implications resulting from compliance failure is
not the only liability the hospital’s leadership could face.
In 2012, in R.K. v. St. Mary’s Medical Center, the West Virginia Supreme Court of Appeals
ruled that HIPAA did not preempt state law, and provided the standard of care for tort claims.
The hospital shared R.K.’s medical information relating to his psychiatric hospitalization with
his estranged wife, despite the patient’s request not to. R.K’s cause of action included negligence
(R.K. v. . St. Mary’s Medical Center, 2012).
In Byrne v. Avery Center for Obstetrics and Gynecology, the Connecticut Supreme Court ruled
that HIPAA does not preempt negligent claims for a breach of patient privacy. In this particular
case, Emily Byrne’s medical information was shared with her partner against her wish. The
healthcare provider received a subpoena from her partner’s attorney in a paternity suit and
complied with the request, disclosing Byrne’s medical information to her significant other. Byrne
then successfully sued the hospital for negligence (Byrne v. Avery Center for Obstetrics and
Gynecology, 2014). Lewis in The National Law Review (2014) stressed that the fact that HIPAA
does not give patients a right of private action does not mean that remedies for questionable
disclosures do not exist. Remedial measures include namely state health laws and common law
torts (Lewis, 2014).
Conclusion
Disclosure of protected health information in circumstances that would make the individual
subject to serious repercussions is a major concern for the affected individual and for the
hospital. The incident represents a complex set of medical, legal and ethical concerns in addition
to HIPAA violations. Professional judgment is required to decide whether or not there is a reason
to believe the teen may have been the victim of abuse, neglect or domestic violence, whether the
7. hospital can deny disclosure of the patient’s PHI to her parents, and whether implied
emancipation applies in this case. Hospital’s post-incident assessment shall address the risk of
harm to the affected patient and her infant child, review previous instances of improper
disclosures and breaches, implement corrective and preventative action to ensure HIPAA
compliance, and address other risks, such as the risk of litigation for negligence. The Human
Resources Department shall make the decision about the nurse’s future employment, and place
her on administrative leave until the completion of the investigation. Gap analysis and critical
assessment of organizational culture would be beneficial to identify vulnerabilities in the
hospital’s operations and address them appropriately. Policies and procedures have to be
implemented with fidelity to be effective. Review of training materials, procedures,
methodologies, and training effectiveness has to follow to prevent inadvertent disclosures in the
future. Dismissal of a single employee does not solve the problem of systemic issues and
organizational culture that need to be addressed separately to be effective.
Bibliography
ASHG. (2015). ASHG Position Statement Provides Guidance for Genetic Testing in Children
and Adolescents. Retrieved April 04, 2017, from https://www.genomeweb.com/molecular-
diagnostics/ashg-position-statement-provides-guidance-genetic-testing-children-and
Cohen, S. (2013). Recruitment and retention. OR Nurse,7(3), 8-10.
doi:10.1097/01.orn.0000429410.21897.75
Gabler , E. (2013). Delays at hospitals across the country undermine newborn screening
programs, putting babies at risk of disability and death. Retrieved April 04, 2017,
from http://archive.jsonline.com/watchdog/watchdogreports/Deadly-Delays-Watchdog-Report-
Delays-at-hospitals-across-the-country-undermine-newborn-screening-programs-putting-babies-
at-risk-of-disability-and-death-228832111.html
Helba, C., Bernstein, M., Leonard, M., & Bauer, E. (2014). Report on Exploratory Study into
Honor Violence Measurement Methods (Rep. No. 248879). Westat.
HIPAA Privacy Rule Requirements Overview. (2003). The Practical Guide to HIPAA Privacy
and Security Compliance. doi:10.1201/9780203507353.ch5
Josephson , J. J. (2016). Rethinking sexual citizenship. Albany: State University of New York
Press .
The Damaging Effects Of Shaming Teen Mothers. (2016, May 31). Retrieved April 04, 2017,
from https://www.theodysseyonline.com/damaging-effects-shaming-teen-mothers
Journeyman Pictures. (2016). Infanticide in Eastern Europe (1999) Retrieved April 04, 2017,
from https://www.youtube.com/watch?v=ZjSC1xiQd-Q
Legal Information Institute. (2007). Emancipation of Minors. Retrieved April 04, 2017,
from https://www.law.cornell.edu/wex/emancipation_of_minors
Lewis, J. (2014). Negligence Claims for Breach of Patient Privacy Not Preempted by HIPAA,
Connecticut Supreme Court Holds. Retrieved April 04, 2017,
from http://www.natlawreview.com/article/negligence-claims-breach-patient-privacy-not-
preempted-hipaa-connecticut-supreme-cou
National Institutes of Health. (2015). Preliminary Guidance Related to Informed Consent for
Research on Dried Blood Spots Obtained Through Newborn Screening. Retrieved April 04,
2017, from https://grants.nih.gov/grants/guide/notice-files/NOT-OD-15-127.html
RAINN. (n.d.). Children and Teens: Statistics . Retrieved April 04, 2017,
from https://www.rainn.org/statistics/children-and-teens
8. R.K. v. St. Mary's Medical Center, 735 S.E.2d 715 (2012) 229 W.Va. 712 (November 15, 2012).
Secretary, H. O. (2013). Breach Notification Rule. Retrieved April 04, 2017,
from https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?language=es
Whelan, A. M. (2013). That's My Baby: Why the State's Interest in Promoting Public Health
Does Not Justify Residual Newborn Blood Spot Research Without Parental Consent. Minnesota
Law Review ,98, 419-453. doi:10.2139/ssrn.2590100
Secretary, H. O. (2015, November 05). Privacy Rule Introduction. Retrieved March 25, 2017,
from https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/introduction/index.html
Shaw, G. (2016). Departing Nurseʼs HIPAA Breach Spurs New Privacy Policies at URMC — A
Case In Point for Reviewing and Tightening Practices. Neurology Today,16(3), 11-12.
doi:10.1097/01.nt.0000480943.34345.44
Warren, Z. (2014). Connecticut Supreme Court rules that HIPAA does not preempt negligence
claim. Retrieved April 04, 2017, from http://www.insidecounsel.com/2014/11/11/connecticut-
supreme-court-rules-that-hipaa-does-no?slreturn=1491315877